- From: divoplade <d@divoplade.fr>
- Date: Tue, 06 Oct 2020 14:52:16 +0200
- To: Aaron Coburn <acoburn@apache.org>, Michiel de Jong <michiel@unhosted.org>
- Cc: public-solid <public-solid@w3.org>
Hello, Le mardi 06 octobre 2020 à 08:31 -0400, Aaron Coburn a écrit : > > Under OIDC, an ID token is for use by a client application. That > client application may use that token to determine the user's name, > profile image, etc. The OIDC specification requires that this token > be structured as a JWT so that a client can rely on a single > mechanism for parsing/validating that token. Notably, the aud > (audience) claim in an ID token is the client_id. In other words, an > ID token is for the client and should not be used elsewhere. And an > ID token should *definitely not* be used for resource access. This is what I was missing. It is only used between the client and the identity provider. What is its use then? It is not used to get a dpop- bound access token, since it is issued at the same time. The informative basic flow section does not use it either. Should I infer that it may be used to refresh the dpop-bound access token? divoplade
Received on Tuesday, 6 October 2020 12:52:57 UTC