Hi Phil, thanks for producing this document write-up. I have a somewhat basic question regarding the document.
The id token contains the following mandatory information: - sis: issuer - sub: subject - aud: audience - iat: issued at - exp: expiry - auth_time: time when the end user was authenticated An access token (when encoded as a JWT) may contain all these fields except the auth_time (since auth_time is not defined in the JWT spec). Given that your proposal actually does not define the authentication protocol to be used between the resource owner/end user and the authorisation server I am wondering whether it would be possible to just add the auth_time parameter (and maybe some of the optional parameters) to the access token. Then, you can skip the id token. How do I come up with that question? In Kerberos, for example, the above-listed information is carried within a single container (within the ticket) and so I am curious to hear why we have to send the information twice in OAuth (once in the access token, when the info is passed per value, and again via the id token). Maybe I missing something important here. Ciao Hannes
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
