Skip to content

Use of access_token by RP in IPSIE level 1 #115

Description

@gffletch

The current proposed stable requirements define the following:

Access Tokens issued by OpenID Providers:

  • MUST only be used by the RP to retrieve identity claims at the OpenID Provider;

I don't believe we should restrict the use of the access token in IPSIE level one to just obtaining identity claims from the /userinfo endpoint. But rather specify that in IPSIE level 1 that is the only use that will be conformance tested. If the RP wants to use the access_token for other actions that is outside the specification of IPSIE level 1 and not prohibited.

Maybe change the wording to...

  • MUST support use by the RP to retrieve identity claims at the OpenID Provider;

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions