undefined | Better HN

0 pointsTJSomething7y ago0 comments

OpenID Connect Core, section 2: "The ID Token is represented as a JSON Web Token (JWT) [JWT]." (https://openid.net/specs/openid-connect-core-1_0.html#IDToke...)

0 comments

4 comments · 1 top-level

user59944617y ago· 3 in thread

Well, that's good to know on the one hand. On the other hand, I've never seen a provider that respected that section in full.

unscaled7y ago

This is more or less one of the only part that is respected in full.

I've got to say, I've seen providers without proper discovery, I've seen providers with strange hybrid flows and I'm pretty sure most providers don't implement the request/response signing and encryption (after all, if you want insanity, you'll be more than happy with SAML). But I've never seen a provider who doesn't implement an ID token.

I think everybody would agree that OpenID Connect without an ID token is just plain OAuth 2.

user59944616y ago

I've had providers with blackbox tokens. Basically a random string that has to be passed to the /userinfo endpoint to retrieve the user claims.

I've had providers with the id_token and access_token being the same value. Other where they were different values. One that didn't support refresh_token at all.

Then a variety of screw ups where the required claims in the JWT tokens are missing or incorrect.

It's wild really. It always takes a bit of work to integrate any OpenID Connect provider. Most libraries only care to handle Google or Facebook login.

andyroid7y ago

Huh? The ID token and it’s claims is one of the core concepts of OIDC. Are you thinking of OAuth? That spec says nothing about token formats.

j / k navigate · click thread line to collapse