Messages - Why must the Authorization Server be required to return a code or access_token?

Login – By default when the RP asks to log the user in and the user approves (or is auto-approved based on previous choices or configurations) then all that needs to come back is an ID Token. Period. No authorization code. No access token. The transaction is then finished. The reason why it’s o.k. to return the ID token directly is that the user is already trusting their browser to do their authentication to the authorization server so the channel better be trusted and the ID token is always short lived. So we are good. So there is no need for the authorization code in the Login scenario.

Like issue 323, if no UserInfo claims are needed, then no code or access_token should be required either.

Comments (5)