Jon Wolski – WindowsTechs.com

Should I use separate OIDC clients for RFC-8252 (OIDC w/ PKCE) client and my HTTP API?

Posted on September 19, 2023 by Jon Wolski

I have a non-browser client (Desktop app) that makes HTTP requests to my API.
I have the desktop client configured to use RFC-8252 (spawn an ephemeral HTTP server to handle the auth code flow’s HTTP redirect) so that the user enters creden… Continue reading Should I use separate OIDC clients for RFC-8252 (OIDC w/ PKCE) client and my HTTP API?→

What’s the purpose of signing OIDC ID Tokens if they shouldn’t be used as bearer tokens

Posted on January 12, 2022 by Jon Wolski

It seems like signing ID Tokens invites misuse.
As I understand it, OIDC ID tokens should not be used as bearer tokens for authorizing API access. Instead, we should use access tokens.
However, the ID token is still signed, and in the case… Continue reading What’s the purpose of signing OIDC ID Tokens if they shouldn’t be used as bearer tokens→

Why does OpenID Connect ("OIDC") use a `nonce` claim instead of the `jti` registered claim

Posted on June 20, 2018 by Jon Wolski

According to the spec, OpenID Connect uses nonce as the registered claim name, but RFC 7519 already includes a registered claim named jti for this same purpose.

Was this an oversight, or was there something wrong with the wa… Continue reading Why does OpenID Connect ("OIDC") use a `nonce` claim instead of the `jti` registered claim→