Reputation: 1026
Openid Connect : sharing id token between relying parties
Suppose we have 3 Relying Parties with 1 OpenID Provider (= Identity Provider). If a user wants to sign-in in the first application, he will be redirect to the identity Provider (via the Authorization Code Flow) and the first application will have at the end of the flow an id token and access token.
If the user, 10 minutes wants to sign-in to the second relying party, he will be automatically redirect to the IDP (via the Authorization Code Flow) and the IDP will recognize the user by the cookie. So the IDP will not ask the user to authenticate and at the end of the flow, the second Relying Party will have a ID Token & access token.
My question : can you confirm that the ID Token & Access Token of the second Relying Party will be different of the ID Token & Access Token of the first Relying Party ?
Upvotes: 0
Views: 799
Answers (1)
Reputation: 4467
Yes they should be different.
In ID tokens the aud claim should contain the relying party app for whom the token is intended for.
In the access token there is usually something like a client_id claim so the Relying Party could identify which client this token was issued to - although this isn't guaranteed.
See the JWT spec for details of OpenID Connect JWT tokens.
Upvotes: 3
Related Questions
- OpenID Sharing Id Token with multiple clients
- OpenID Connect : Is it fine to use id_token as access_token?
- Openid Connect standard way for exchanging ID Tokens
- can we use ID Token as an Access Token?
- In OpenID Connect, is it okay to pass an id token instead of an access token to a resource server for authorization?
- How do OpenId Connect's id token feed into a subsequent OAuth2 flow for authorizing access on another resource?
- Using OpenID Connect ID token for application-to-application authentication/authorization
- Is it OK to share unencrypted ID tokens?
- OpenId Connect - 2 way exchange of tokens in spec?