On Mon, 1 Apr 2019, 18:54 Pedro Igor Silva, <psilva(a)redhat.com> wrote:
A few additional comments:
* "or alternatively the application can include an id_token_hint with the
request that proves the application does not need consent from the user"
I understand that ID Tokens should be short-lived, but aren't we setting
the exp of ID tokens with the value from access tokens? See
On my phone so can't look at that. ID tokens have some expiration as access
In addition to that, I don't think that using a front-channel to
tokens is something we want to do given that there are a lot of
considerations around this approach. If we are really going this way, I
think we should at least consider some form of proof-of-possession.
I'm not 100% convinced about id_token_hint either, but OIDC spec already
uses id_token_hint several places. It's in the auth endpoint already (not
something we're adding) also used in logout specs. I also struggle to see
how it can be missused even if obtained.
Proof of possession is a nice idea, but not sure how that could be done
without storing additional things at the server side.
For last, maybe you should explicitly mention the usage of TLS?
I do believe that is already implied? Oauth/OIDC/tokens are completely
insecure without TLS.
On Wed, Mar 27, 2019 at 9:43 PM Stian Thorgersen <sthorger(a)redhat.com>
> Based on feedback and also thinking about this a bit more I've now updated
> the proposal for Application Initiated Actions.
> Please read and comment on the update draft if you're interested.
> keycloak-dev mailing list