Use of access_token by RP in IPSIE level 1

[gffletch]

The current proposed stable requirements define the following:

Access Tokens issued by OpenID Providers:

• MUST only be used by the RP to retrieve identity claims at the OpenID Provider;

I don't believe we should restrict the use of the access token in IPSIE level one to just obtaining identity claims from the /userinfo endpoint. But rather specify that in IPSIE level 1 that is the only use that will be conformance tested. If the RP wants to use the access_token for other actions that is outside the specification of IPSIE level 1 and not prohibited.

Maybe change the wording to...

• MUST support use by the RP to retrieve identity claims at the OpenID Provider;

[aaronpk]

I will try to dig up the meeting minutes later but IIRC this was an explicit decision we previously made.

[aaronpk]

Previous discussion in this thread: #63

[gffletch]

So I get the logic from the previous thread for those SaaSs that ONLY care about SSO. If an SaaS does more than just SSO, does that mean it can't be certified for IPSIE SL1?

That seems problematic to me. I should be able to certify my SaaS that does IPSIE SL1+