I'd say that an ID Token represents an identity that has been verified in some way by the AS - in that sense it is useful to UMA, where we simply want to verify that the request comes from an identity that has been granted permissions to access the resource.

However, if your point is that the access token that could have been requested with the ID token is fit for this purpose, I'm happy with that.

J.

On 23 June 2016 at 22:12, Justin Richer <jricher@mit.edu> wrote:
ID tokens and access tokens are different creatures. ID Tokens are assertions that describe an authentication event. They’re meant to be consumed and, generally, tossed. The client doesn’t store them to use them with other services. The access token defines an access delegation and is consumed by the resource, not the client. The client holds on to the access token so that it can use it with the resource over time, until the token isn’t good anymore.

If instead what you’re saying is to declare a JWT-formatted access token, that’s something else entirely — but don’t call it an ID token. JWTs have their own issues and tradeoffs when used as access tokens.

 — Justin

> On Jun 23, 2016, at 7:18 AM, James Phillpotts <james.phillpotts@forgerock.com> wrote:
>
> Hi again,
>
> Another suggestion for consideration in UMA-next is whether we should support ID Tokens as an alternative to OAuth2 access tokens for bearer tokens from the Client to the RS. As the ID Token would be minted by the AS, then it should be able to introspect it just as it would an access token.
>
> This would also have an advantage in the token-first flow I outlined in my other mail, where the Client can use the additional claims part of requesting an ID Token in OpenID Connect to get the AS to eagerly get extra claims for the user, for example at the time of enrolment.
>
> Cheers
> James
> _______________________________________________
> WG-UMA mailing list
> WG-UMA@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma