Do I Pass the Identity Token in a Header or Body of a Post Request?

Question

The access token and refresh token being in the header makes sense to me (from this answer), but I'm wondering the same thing for ID or Identity Tokens. Should those be:

1. Passed into the body of a post request?
2. Passed into some header (Authorization header is used by the access token)
3. Something else (I'm misunderstanding the purpose of the identity token)

A little more context, through SSO, I would like to take the claims of a user (present only in the Identity Token) and sign them up in my system. I can confirm I can do this easily by throwing the identity token into the body of the initial POST request (and validate the signature on the server), but wanted to check if I'm breaking some standard.

Thanks!

Answer 1

In principle you can pass the ID token assuming that:

1. the software that consumes and validates the ID token (Relying Party, RP) is part of the same application and security domain as the target system
2. the link between the RP and the target system is secure i.e. authentication of both parties and confidentiality of the communication is established
3. the target system indeed requires all of the information in the ID token, otherwise it would be better to apply minimal disclosure and pass only a subset of the information

Passing the ID token (or the subset of claims) in headers may work if the amount of data is relatively small, otherwise you may run into HTTP header length limitations. Using POST though has the downside of having to modify the application request in flight which may be harder and have side effects.

For completeness, the refresh token is never passed in a header and only sent to the Authorization Server / Provider by the RP in a POST request.