ID tokens and access tokens are different creatures. ID Tokens are assertions that describe an authentication event. They’re meant to be consumed and, generally, tossed. The client doesn’t store them to use them with other services. The access token defines an access delegation and is consumed by the resource, not the client. The client holds on to the access token so that it can use it with the resource over time, until the token isn’t good anymore.
If instead what you’re saying is to declare a JWT-formatted access token, that’s something else entirely — but don’t call it an ID token. JWTs have their own issues and tradeoffs when used as access tokens.
— Justin
> _______________________________________________
> On Jun 23, 2016, at 7:18 AM, James Phillpotts <james.phillpotts@forgerock.com> wrote:
>
> Hi again,
>
> Another suggestion for consideration in UMA-next is whether we should support ID Tokens as an alternative to OAuth2 access tokens for bearer tokens from the Client to the RS. As the ID Token would be minted by the AS, then it should be able to introspect it just as it would an access token.
>
> This would also have an advantage in the token-first flow I outlined in my other mail, where the Client can use the additional claims part of requesting an ID Token in OpenID Connect to get the AS to eagerly get extra claims for the user, for example at the time of enrolment.
>
> Cheers
> James
> WG-UMA mailing list
> WG-UMA@kantarainitiative.org
> http://kantarainitiative.org/mailman/listinfo/wg-uma
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma