The OpenID Connect spec indicates that many response types can be added, e.g. response_type = "code token" Now I'm wondering if this is a good request for an authorization code and token requests, if you have a token already Auth code is not superfluous? OAuth 2.0 is a protocol framework, in addition to which other protocols can be created and OpenID Connect such protocols.
There is an example.
Especially for OpenID Connect, it is understood to use combined feedback types because play has 2 tokens: access_token and id_token. Using "feedback type", the customer can request how each token should be distributed.
For example, what you have given, will be given as part of the access_token authentication response via the front channel but id_token "code" for id_token on token endpoint in a backcast call - Will be delivered at the time of delivery.
One reason for doing this may be that id_token, which is a signed JWT, is not to be verified at the local level when the appropriate TLS protected token is obtained from the end point, then the customer The code can be simple. The Access_token customer is somehow opaque and does not have the advantage.
Comments
Post a Comment