Hello, Returning two (or more) tokens is a standard part of OIDC. You can read about it at https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse In other words, when a client requests a token from the identity provider (e.g. at the /token endpoint), the response will be something like: { "access_token": "<DPoP-bound Access Token as JWT>", "token_type": "Bearer", "refresh_token": "<Refresh Token>", "expires_in": 3600, "id_token": "<ID Token as JWT>" } The client can retrieve the access token and ID token from this JSON payload. If "offline" scope was part of the interaction (and supported by the identity provider), then a refresh token will also be provided. Regards, Aaron On Sun, 11 Oct 2020 at 02:58, divoplade <d@divoplade.fr> wrote: > Dear authentication panel, > > The identity provider should return two tokens: the OIDC ID token (that > the client application should keep for itself) and the DPoP-bound > access token (that the client presents to the resource server). > > How is it supposed to do so? I assume it should redirect (302 with > Location:) the browser to the requested redirect_uri (provided it > appears in the client manifest in the client webid) with additional GET > parameters. > > The DPoP draft has scarce information on this. I can only imagine that > there must be a query parameter "token_type" with the value of "DPoP". > How are the id token and access token passed? > > Best regards, > > divoplade > > > >Received on Sunday, 11 October 2020 14:02:26 UTC
This archive was generated by hypermail 2.4.0 : Sunday, 11 October 2020 14:02:27 UTC