Yes, but then either (1) the AS is NOT the issuer of the id_token and can't process it because of the audience restrictions or (2) the AS is the issuer of the id_token and this is a very specialized and restricted use case. Also, if the client is doing pure OAuth it won't get an id_token so in this context the client would need to be using the UMA AS as the client's OpenID Connect provider.

Maybe I'm missing something?

Thanks,
George

On 6/27/16 12:47 PM, James Phillpotts wrote:
The RS wouldn't know it's been given an ID Token though - it would just have a bearer token with some long string that it is then going to send on to the AS.

J.

On 27 June 2016 at 17:36, George Fletcher <george.fletcher@teamaol.com> wrote:
Another issue with id_tokens that affects this kind of a use case is that id_tokens are currently audience bound to the client, so if you send it to the RS, it should be rejected because the RS is not the audience of the id_token. It's possible to get around the audience issues using a token exchange mechanism, but then the resulting token is not an id_token but just another JWT functioning as an access token (per Justin's last paragraph).

Thanks,
George

On 6/23/16 5:12 PM, Justin Richer wrote:
ID tokens and access tokens are different creatures. ID Tokens are assertions that describe an authentication event. They’re meant to be consumed and, generally, tossed. The client doesn’t store them to use them with other services. The access token defines an access delegation and is consumed by the resource, not the client. The client holds on to the access token so that it can use it with the resource over time, until the token isn’t good anymore. 

If instead what you’re saying is to declare a JWT-formatted access token, that’s something else entirely — but don’t call it an ID token. JWTs have their own issues and tradeoffs when used as access tokens.

 — Justin


On Jun 23, 2016, at 7:18 AM, James Phillpotts <james.phillpotts@forgerock.com> wrote:

Hi again,

Another suggestion for consideration in UMA-next is whether we should support ID Tokens as an alternative to OAuth2 access tokens for bearer tokens from the Client to the RS. As the ID Token would be minted by the AS, then it should be able to introspect it just as it would an access token.

This would also have an advantage in the token-first flow I outlined in my other mail, where the Client can use the additional claims part of requesting an ID Token in OpenID Connect to get the AS to eagerly get extra claims for the user, for example at the time of enrolment.

Cheers
James
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma

_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma




-- 
Distinguished Engineer                   
Identity Services Engineering     Work: george.fletcher@teamaol.com
AOL Inc.                          AIM:  gffletch
Mobile: +1-703-462-3494           Twitter: http://twitter.com/gffletch
Office: +1-703-265-2544           Photos: http://georgefletcher.photography