Hi
Code and access token hashes that can be returned in OIDC responses is a
good idea. I wonder, does it make any sense to have something like that
supported at the 'bare' OAuth2 level alone to lower the complexity level
(example, dealing with JWS id_tokens containing an access token hash may
not be trivial) and just make this OIDC a_hash/c_hash idea generalized ?
For example, a JWK thumbprint [1] idea can be adapted.
Suppose the following is returned to the Client:
{"access_token":"123456", "refresh_token":"654321"}.
The approach at [1] can be applied producing:
{"access_token":"123456", "refresh_token":"654321",
"thumbprint":"AxTh-Rtyw"}.
Similarly for code responses...
Just an idea...
Sergey
[1]
http://tools.ietf.org/html/draft-jones-jose-jwk-thumbprint-00#section-3.3
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
