[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    RE: OIDC OP 3.4 and issueIdTokenViaRefreshToken
From:       "Wessel, Keith via users" <users () shibboleth ! net>
Date:       2023-08-02 16:29:46
Message-ID: BN6PR11MB418087FBB84F6DAF2AB7F422CB0BA () BN6PR11MB4180 ! namprd11 ! prod ! outlook ! com
[Download RAW message or body]

Correct, the spec states that the claims in the ID token must be the same as when the \
user originally authenticated. Short-term, that makes sense, but as you stated, that \
can be a challenge months in the future. It does seem like it could create problems.

Keith


-----Original Message-----
From: Cantor, Scott <cantor.2@osu.edu> 
Sent: Wednesday, August 2, 2023 11:26 AM
To: Wessel, Keith <kwessel@illinois.edu>; Shib Users <users@shibboleth.net>
Subject: Re: OIDC OP 3.4 and issueIdTokenViaRefreshToken

> An excellent point. I'll pass that along to our app developers. A better
> question is why the IdP ignored the spec and included it in V3.3 and earlier
> of the plugin. But since we know what the spec states, that's relatively moot
> at this point.

Well, it didn't ignore anything in the sense that it violated any rules, but why it \
defaulted that, I don't know. I presume it's some kind of historical thing but I \
didn't see any sign that there was any spec text talking about it being advisable or \
suggested, just that it "might not be there". Which admittedly is a soft "it probably \
will" but I have no idea why.

The access token and the refresh token that refreshes it should be exclusively about \
the UserInfo endpoint, and there's no ID token there ever. It's just needless \
contamination of function, not to mention you'd have to save off all the data enough \
to reproduce that token a year later when you shouldn't have to.

And it's much worse if you end up changing the ID token claims in that copy. What the \
heck would that even mean? And is any app gonna notice? I bet not.

Seems like a good recipe for mistakes to me.

-- Scott


-- 
For Consortium Member technical support, see \
https://shibboleth.atlassian.net/wiki/x/ZYEpPw To unsubscribe from this list send an \
email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]