- changed status to resolved
Messages 2.2.3 "Access Token Response"
§2.2.3 "Access Token Response" of Messages-08 states that the "id_token MUST NOT be returned if the grant_type is not authorization_code." However, §3.2.1 "Refresh Token Response" of Standard-08* has weaker normative language stating only that, "it SHOULD NOT return id_token." Then, though non-normative, the example in that section of Standard seems to contradict both statements by showing an id_token being returned in response to a refresh token grant type request.
Is there some subtle reason for this that I'm not seeing?
If not, I'd suggest changing the SHOULD NOT in Standard §3.2.1 to a MUST NOT (or removing "except that it SHOULD NOT return id_token" text entirely) and removing the id_token from the JSON response in the example.
Thanks, Brian
Comments (1)
-
reporter - Log in to comment
Fixed
#557Messages 2.2.3 "Access Token Response"→ 2a6701fb1cc3