-
assigned issue to
Standard - 3.2.1 Refreshing Token should not return id_token
Typically, token refresh occurs when user is not in presence.
i.e., there is no end-user session associated with it.
Thus, it should not return the id_token.
Proposal:
Remove id_token from the example.
Also,
{{{ Upon successful verification of the Refresh Token, a successful response returns the "application/json" media type and the response body is the Access Token Response of Section 2.2.3 of OpenID Connect Messages 1.0 [OpenID.Messages]. }}}
should be changed to:
{{{ Upon successful verification of the Refresh Token, a successful response returns the "application/json" media type and the response body is the Access Token Response of Section 2.2.3 of OpenID Connect Messages 1.0 [OpenID.Messages] except that it SHOULD NOT return id_token. }}}
Comments (3)
-
reporter -
reporter - changed status to resolved
Fix
#467. Token refresh in general should not return id_token -
Account Deleted (Reply via br...@google.com):
I disagree.
We discussed this particular issue several times.
The id_token should be returned with the access_token if we want to enable some delegated use cases.
- Log in to comment