On 02/04/2019 15:24, Pedro Igor Silva wrote:
On Tue, Apr 2, 2019 at 10:12 AM Marek Posolda <mposolda(a)redhat.com
> There's a difference in leaking a refresh token and access token
> a ID token IMO. From thinking about it I can't see how you would
> leaked ID token as apps don't accept them in the same way as
> accept access tokens.
Hopefully yes, but even if ID Token is leaked, it is not ideal. In
past, we had issues with the fact that IDToken could be used as
accessToken. This shouldn't be an issue in our adapters, where we
the "typ" and audience in the tokens. But some 3rd party service
buggy and still accept ID Token as access token due some missing
Hopefully this is not big issue in reality...
+1. But audience check is still false by default, right?
Yes. But the "typ" is checked in our adapters, so you won't be able to
use ID token as access token. I think the issue could be just for 3rd
party adapters, which may not check all the necessary things.