Re: [keycloak-dev] Application Initiated Actions Draft #2

On Tue, Apr 2, 2019 at 10:12 AM Marek Posolda <mposolda(a)redhat.com <mailto:mposolda@redhat.com>> wrote: > There's a difference in leaking a refresh token and access token to leaking > a ID token IMO. From thinking about it I can't see how you would use a > leaked ID token as apps don't accept them in the same way as services > accept access tokens. Hopefully yes, but even if ID Token is leaked, it is not ideal. In the past, we had issues with the fact that IDToken could be used as accessToken. This shouldn't be an issue in our adapters, where we test the "typ" and audience in the tokens. But some 3rd party service can be buggy and still accept ID Token as access token due some missing checks. Hopefully this is not big issue in reality... +1. But audience check is still false by default, right?