- From: Aaron Coburn <acoburn@apache.org>
- Date: Sun, 11 Oct 2020 10:02:00 -0400
- To: divoplade <d@divoplade.fr>
- Cc: public-solid <public-solid@w3.org>
- Message-ID: <CAD4uyLdH_QbNSy5WuLPMk6-eyQuEzbzi05u9X5p=9yMefYxJBA@mail.gmail.com>
Hello,
Returning two (or more) tokens is a standard part of OIDC. You can read
about it at
https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
In other words, when a client requests a token from the identity provider
(e.g. at the /token endpoint), the response will be something like:
{
"access_token": "<DPoP-bound Access Token as JWT>",
"token_type": "Bearer",
"refresh_token": "<Refresh Token>",
"expires_in": 3600,
"id_token": "<ID Token as JWT>"
}
The client can retrieve the access token and ID token from this JSON
payload. If "offline" scope was part of the interaction (and supported by
the identity provider), then a refresh token will also be provided.
Regards,
Aaron
On Sun, 11 Oct 2020 at 02:58, divoplade <d@divoplade.fr> wrote:
> Dear authentication panel,
>
> The identity provider should return two tokens: the OIDC ID token (that
> the client application should keep for itself) and the DPoP-bound
> access token (that the client presents to the resource server).
>
> How is it supposed to do so? I assume it should redirect (302 with
> Location:) the browser to the requested redirect_uri (provided it
> appears in the client manifest in the client webid) with additional GET
> parameters.
>
> The DPoP draft has scarce information on this. I can only imagine that
> there must be a query parameter "token_type" with the value of "DPoP".
> How are the id token and access token passed?
>
> Best regards,
>
> divoplade
>
>
>
>
Received on Sunday, 11 October 2020 14:02:26 UTC