Poor Man's Delegation Actas with OpenIdConnectionAuthenticationModule and idSrv3

[ciaranj]

I'm currently determining a route forward for the identity provision piece of some software I'm responsible for, I had settled on IDSrv2 as an approach that would give me a great head-start on where I wanted to go (thank you.) Then you went and released IDsrv3 preview which shook my foundations somewhat

So i've set about re-implementing my PoC flows around the proposed future of id: the openid connect approach.

One thing that I was doing previously was http://www.cloudidentity.com/blog/2013/01/09/USING-THE-JWT-HANDLER-FOR-IMPLEMENTING-POOR-MAN-S-DELEGATION-ACTAS/ using the original JWT received from IDSrv2 to 'pass' tokens onto later Web API calls from within the application a user has performed a federated sign in onto.

From what I can see OpenIdConnectionAuthenticationModule does not support this notion of a 'bootstrap token.' And I can't find the scope that I've requested from idsrv3 ('read') appearing in any of the claims in the identity token that comes back.

Is such as flow meaningful in an openid connect world, or do I need to 'just' pass around the 'bearer' access token (which has no signature verification or notion of scopes/claims associated with it) to the delegated API calls ? Apologies as always if these questions are frankly dumb!

[ciaranj]

Speaking of dumb questions! Just noted in TestClients:
AccessTokenType = AccessTokenType.Reference,
vs.
AccessTokenType = AccessTokenType.JWT

Changing my client from getting back an access token reference to getting back a JWT allows me to proceed as previously, doh!

[leastprivilege]

:)