Hi Nat ... It could also be that RS is the PDP+PEP. Your model seem to fit this one.
<acl> Yes, exactly! Then, you just take id_token there and PDP portion of the RS gives you the access token, which you present it to the PEP portion of the RS. <acl> if by "you" you're referring to the native client, the this is EXACTLY what I want to do. 1. User launches native client on iPhone 2. Native client (via UA) triggers Authorization Request (response_type=id_token) to OpenID Connect provider. 3. OpenID Connect provider authenticates user 4. Id_token is returned to the native client via the UA in Response message 5. Native client includes id_token in RESTful API calls to the RS 6. RS uses subject of id_token to make authorization decision. It seems that every time I describe this, I get a mix of responses ranging from "that's not the intended usage of the id_token" to "sounds like that should work." This is giving me a great deal of pause. In this case, I think id_token should be audience restricted to the RS. <acl> absolutely!
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
