W3C home > Mailing lists > Public > public-solid@w3.org > October 2020

Re: How does the identity provider return two tokens?

From: Aaron Coburn <acoburn@apache.org>
Date: Sun, 11 Oct 2020 10:02:00 -0400
Message-ID: <CAD4uyLdH_QbNSy5WuLPMk6-eyQuEzbzi05u9X5p=9yMefYxJBA@mail.gmail.com>
To: divoplade <d@divoplade.fr>
Cc: public-solid <public-solid@w3.org>

Returning two (or more) tokens is a standard part of OIDC. You can read
about it at

In other words, when a client requests a token from the identity provider
(e.g. at the /token endpoint), the response will be something like:

   "access_token": "<DPoP-bound Access Token as JWT>",
   "token_type": "Bearer",
   "refresh_token": "<Refresh Token>",
   "expires_in": 3600,
   "id_token": "<ID Token as JWT>"

The client can retrieve the access token and ID token from this JSON
payload. If "offline" scope was part of the interaction (and supported by
the identity provider), then a refresh token will also be provided.


On Sun, 11 Oct 2020 at 02:58, divoplade <d@divoplade.fr> wrote:

> Dear authentication panel,
> The identity provider should return two tokens: the OIDC ID token (that
> the client application should keep for itself) and the DPoP-bound
> access token (that the client presents to the resource server).
> How is it supposed to do so? I assume it should redirect (302 with
> Location:) the browser to the requested redirect_uri (provided it
> appears in the client manifest in the client webid) with additional GET
> parameters.
> The DPoP draft has scarce information on this. I can only imagine that
> there must be a query parameter "token_type" with the value of "DPoP".
> How are the id token and access token passed?
> Best regards,
> divoplade
Received on Sunday, 11 October 2020 14:02:26 UTC

This archive was generated by hypermail 2.4.0 : Sunday, 11 October 2020 14:02:27 UTC