-
assigned issue to
Basic - 3.2.3. What **openid** scope request.
In draft 13:
"... The openid scope grants the RP access to the user identifier of the authenticated user of the session. ...."
This looks that if I specify openid in scope parameter, id_token will be returned. How about UserInfo ?
Comments (4)
-
-
reporter Thank you. I got it.
But Basic requires that `return_type` MUST include "access_token id_token" with "openid" included in `scope`. That means that RP get access rights to user's identifier and user's profile data.
I know this is just another wording thing.
-
reporter Otherwise, can End User reject returning access_token but return only id_token when he/she is consented at OP after authentication ?
-
- changed status to resolved
Yes the user can decline access to the user-info endpoint.
The client would still get a token, but it would only be good to get the user ID from the endpoint. The OP can also return an error.
Profile data is optional.
- Log in to comment
Yes If you specify only openid as the scope you get back the id_token containing the userid and other session information. You get back an access token that will not give you any information other than the userid from the user-info endpoint.