There could be a reason for an id_token to be passed back around to the same AS/IdP: There are "stateful" models for deriving identity information about the user in front of you, and alternatively "stateless" models where the information shows up with the user. There are pros and cons to each method.Eve Maler
Cell +1 425.345.6756 | Skype: xmlgrrl | Twitter: @xmlgrrlOn Mon, Jun 27, 2016 at 1:03 PM, Justin Richer <jricher@mit.edu> wrote:+1 to George’s comment. What you’re describing isn’t an OpenID Connect ID Token.— JustinOn Jun 27, 2016, at 1:01 PM, George Fletcher <george.fletcher@teamaol.com> wrote:Then why use an id_token in this context? Why not just use the access_token which will have the additional scopes bound to it? If the UMA AS is also the OpenID Connect provider, it will know about the claims bound to that user and I don't think they need to be passed in the id_token. This resolves the audience issues with the id_token.
I do feel like this is a different UMA token profile which should be pretty easy to write for your constrained environment. In this profile you could allow for a "permission ticketless token" which is what the returned access_token would be and then define how the AS should process it against a specific identified resource.
Thanks,
George
On 6/27/16 12:55 PM, James Phillpotts wrote:
I'm assuming (2) - not interested in any tokens from other IdPs. Yes, I'm assuming that in this case the client is using the UMA AS as the OpenID Connect IdP, and wants to add extra claims for up-front token acquisition (as per other thread), which the OpenID Connect extension request parameters are useful for providing.
CheersJames
On 27 June 2016 at 17:51, George Fletcher <george.fletcher@teamaol.com> wrote:
Yes, but then either (1) the AS is NOT the issuer of the id_token and can't process it because of the audience restrictions or (2) the AS is the issuer of the id_token and this is a very specialized and restricted use case. Also, if the client is doing pure OAuth it won't get an id_token so in this context the client would need to be using the UMA AS as the client's OpenID Connect provider.
Maybe I'm missing something?
Thanks,
George
On 6/27/16 12:47 PM, James Phillpotts wrote:
The RS wouldn't know it's been given an ID Token though - it would just have a bearer token with some long string that it is then going to send on to the AS.
J.
On 27 June 2016 at 17:36, George Fletcher <george.fletcher@teamaol.com> wrote:
Another issue with id_tokens that affects this kind of a use case is that id_tokens are currently audience bound to the client, so if you send it to the RS, it should be rejected because the RS is not the audience of the id_token. It's possible to get around the audience issues using a token exchange mechanism, but then the resulting token is not an id_token but just another JWT functioning as an access token (per Justin's last paragraph).
Thanks,
George
On 6/23/16 5:12 PM, Justin Richer wrote:
ID tokens and access tokens are different creatures. ID Tokens are assertions that describe an authentication event. They’re meant to be consumed and, generally, tossed. The client doesn’t store them to use them with other services. The access token defines an access delegation and is consumed by the resource, not the client. The client holds on to the access token so that it can use it with the resource over time, until the token isn’t good anymore. If instead what you’re saying is to declare a JWT-formatted access token, that’s something else entirely — but don’t call it an ID token. JWTs have their own issues and tradeoffs when used as access tokens. — JustinOn Jun 23, 2016, at 7:18 AM, James Phillpotts <james.phillpotts@forgerock.com> wrote: Hi again, Another suggestion for consideration in UMA-next is whether we should support ID Tokens as an alternative to OAuth2 access tokens for bearer tokens from the Client to the RS. As the ID Token would be minted by the AS, then it should be able to introspect it just as it would an access token. This would also have an advantage in the token-first flow I outlined in my other mail, where the Client can use the additional claims part of requesting an ID Token in OpenID Connect to get the AS to eagerly get extra claims for the user, for example at the time of enrolment. Cheers James _______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma_______________________________________________ WG-UMA mailing list WG-UMA@kantarainitiative.org http://kantarainitiative.org/mailman/listinfo/wg-uma
-- Distinguished Engineer Identity Services Engineering Work: george.fletcher@teamaol.com AOL Inc. AIM: gffletch Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch Office: +1-703-265-2544 Photos: http://georgefletcher.photography
-- Distinguished Engineer Identity Services Engineering Work: george.fletcher@teamaol.com AOL Inc. AIM: gffletch Mobile: +1-703-462-3494 Twitter: http://twitter.com/gffletch Office: +1-703-265-2544 Photos: http://georgefletcher.photography
_______________________________________________
WG-UMA mailing list
WG-UMA@kantarainitiative.org
http://kantarainitiative.org/mailman/listinfo/wg-uma