-
assigned issue to
- changed status to open
Messages - How is id_token returned when not accompanied by a code or token?
Issue #331
duplicate
The "openid" scope definition currently includes these rules for returning an id_token: "The openid value also requests that the ID Token associated with the authentication session be returned. If the response_type includes token, the ID Token is returned in the Authorization Response along with the Access Token. If the response_type includes code, the ID Token is returned as part of the Token endpoint response."
These instructions should also describe how the id_token is returned when not accompanied by a code or token.
Also, this is the wrong place to put these detailed instructions. It should be moved out of the "openid" scope definition and into normative text in a more logical place.
Comments (5)
-
-
-
assigned issue to
-
assigned issue to
-
- changed status to duplicate
Duplicate of
#322. -
reporter - changed status to open
-
reporter - changed status to duplicate
Duplicate of
#323. - Log in to comment
I have a question:
[Q1] If scope does not include openid, should the server return error if response_type=token%20id_token ?
response_type is apparently a parameter that signals what token (code, access_token, etc.) the client wants from the Authorization EP. (I think OAuth 2.0 should define it like this. Currently, it has no semantics and just describes the behavior, which is causing a confusion.)
The logical way I think is to require scope=openid to be specified to return id_token (because otherwise the semantics of id_token is undefined).
Then, it follows that:
and