Issue #323 resolved

Messages - Why must the Authorization Server always return an Access Token ?

Michael Jones avatarMichael Jones created an issue

Messages Overview says "3. The Authorization Server responds with access_token, id_token, and a few other variables." Why can't it sometimes reply with just an ID Token if that's all that's needed for the scenario?

Similarly, why aren't steps 4 (The Client sends a request with the access_token to the UserInfo endpoint) and 5 (UserInfo endpoint returns the additional user information supported by the Resource Server) OPTIONAL? Claims about the End-User aren't needed in all cases.

We should make use of the Access Token and UserInfo Endpoint optional in the case that no UserInfo claims are needed.

Comments (9)

  1. Nat Sakimura

    access_token is returned as otherwise it will not be OAuth 2.0 compliant.

    UserInfo etc is optional. It normatively says MAY, which means optional.

  2. Justin Richer

    If you don't want to return the access token in the flow, then you're going to have to define the server's behavior in the case of the client asking for *just* idtoken in the return_type. Everything else MUST return either an access token or a code to get an access token in order to be an OAuth2 endpoint.

  3. Log in to comment
Tip: Filter by directory path e.g. /media app.js to search for public/media/app.js.
Tip: Use camelCasing e.g. ProjME to search for ProjectModifiedEvent.java.
Tip: Filter by extension type e.g. /repo .js to search for all .js files in the /repo directory.
Tip: Separate your search with spaces e.g. /ssh pom.xml to search for src/ssh/pom.xml.
Tip: Use ↑ and ↓ arrow keys to navigate and return to view the file.
Tip: You can also navigate files with Ctrl+j (next) and Ctrl+k (previous) and view the file with Ctrl+o.
Tip: You can also navigate files with Alt+j (next) and Alt+k (previous) and view the file with Alt+o.