You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Number verification API as per directives from ICM "shall adhere to the "OIDC Authorization Code Flow". Thus as per the OIDC specification the scope shall be “openid”. As openid is included an idToken will be returned.
From the perspective of the Number Verification API some guidance on what the idToken can be securely used for would be appreciated. "Normally" the IdToken is used by the consumer to trace the end-user. The operator will specify a value corresponding to the end-user in this token (but not a MSISDN) and the next time the consumer will know it’s the same End-user. But does this "normal" use of said token make sense in the case of Number Verification?
It could be argued that returning an idToken is superfluous to the needs of Number Verification (will anyway require an access token for accessing the resource). However if we shall be compliant to OIDC then this is needed.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
The Number verification API as per directives from ICM "shall adhere to the "OIDC Authorization Code Flow". Thus as per the OIDC specification the scope shall be “openid”. As openid is included an idToken will be returned.
From the perspective of the Number Verification API some guidance on what the idToken can be securely used for would be appreciated. "Normally" the IdToken is used by the consumer to trace the end-user. The operator will specify a value corresponding to the end-user in this token (but not a MSISDN) and the next time the consumer will know it’s the same End-user. But does this "normal" use of said token make sense in the case of Number Verification?
It could be argued that returning an idToken is superfluous to the needs of Number Verification (will anyway require an access token for accessing the resource). However if we shall be compliant to OIDC then this is needed.
Beta Was this translation helpful? Give feedback.
All reactions