-
assigned issue to
John Bradley
- changed status to open
Messages - 2.1.2 Some scope=openid behavior redundant?
Issue #544
resolved
Draft 7 text says:
openid
REQUIRED. Informs the Authorization Server that the Client is making an OpenID Connect request. If the openid scope value is not present, the request MUST NOT be treated as an OpenID Connect request. The openid value also requests that the ID Token associated with the authentication session be returned. If the response_type includes token, the ID Token is returned in the Authorization Response along with the Access Token. If the response_type includes code, the ID Token is returned as part of the Token Endpoint response. This scope value requests access to the user_id Claim at the UserInfo Endpoint.
In particular,
{{{ If the response_type includes token, the ID Token is returned in the Authorization Response along with the Access Token. }}}
duplicates the behavior of the response_type=token%20id_token.
Either the above description is wrong, or response_type=token%20id_token is redundant.
Since we are requiring the support of response_type="code" and "token id_token", it sounds like the above paragraph is wrong.
Needs to be determined.
Comments (2)
-
-
- changed status to resolved
Fixes
#544Fixed Sec 2.1.2 response_type references standard rather than repeating values that are binding specific Fixed Sec 2.1.2 remove outdated language about openid scope requiring id_token to be returned with token response_type - Log in to comment
Bug having openid return an id_token from the authorization endpoint predates the multi-token response type.