[keycloak-dev] Application Initiated Actions Draft #2
Pedro Igor Silva
psilva at redhat.com
Tue Apr 2 09:24:05 EDT 2019
On Tue, Apr 2, 2019 at 10:12 AM Marek Posolda <mposolda at redhat.com> wrote:
> > There's a difference in leaking a refresh token and access token to
> leaking
> > a ID token IMO. From thinking about it I can't see how you would use a
> > leaked ID token as apps don't accept them in the same way as services
> > accept access tokens.
>
> Hopefully yes, but even if ID Token is leaked, it is not ideal. In the
> past, we had issues with the fact that IDToken could be used as
> accessToken. This shouldn't be an issue in our adapters, where we test
> the "typ" and audience in the tokens. But some 3rd party service can be
> buggy and still accept ID Token as access token due some missing checks.
> Hopefully this is not big issue in reality...
>
+1. But audience check is still false by default, right?
More information about the keycloak-dev
mailing list