undefined | Better HN

0 pointsnoctune5y ago0 comments

I think it's actually the OIDC access token and not the ID token. The OIDC spec does not mandate any structure for the access token, but letting it be a JWT isn't out-of-spec.

0 comments

dwaite5y ago

I do not believe that Apple yet uses the access token bit.

OAuth tokens also are not meant to be used for authentication, and require either a separate token (as OpenID Connect did) with appropriate security, or to wedge additional security on top of access tokens as Facebook did with Connect.

This is basically because access tokens are meant to be messages about allowed access to the API resources, not messages to the client software about the user.

sascha_sl5y ago

A few popular IdPs (e.g. keycloak) have no but semantic difference in access and ID tokens, they're both signed JWTs (EC/RSA or shudder HMAC shared secrets) with different typ fields.

j / k navigate · click thread line to collapse

0 comments

dwaite5y ago

I do not believe that Apple yet uses the access token bit.

This is basically because access tokens are meant to be messages about allowed access to the API resources, not messages to the client software about the user.

sascha_sl5y ago

A few popular IdPs (e.g. keycloak) have no but semantic difference in access and ID tokens, they're both signed JWTs (EC/RSA or shudder HMAC shared secrets) with different typ fields.

j / k navigate · click thread line to collapse