Enable scope values to be used to request claims when using response_type "id_token"
Issue #785
resolved
I believe that we should redefine what occurs when the "id_token" response_type is used and any of the scope values "profile", "email", "address", or "phone" are used. Currently that combination is an error condition. I'm proposing that we define it as requesting that the requested claims be returned in in the issued ID Token - something we're already asking people to do with the "claims" request when this response_type value is used.
Particularly since many implementations now aren't going to support requests for individual claims, since "claims" isn't MTI, if we want the "id_token" response_type to be usable and self-issued OPs to be usable, I think we have to do this.
Comments (4)
-
-
+1
-
reporter
-
assigned issue to
Michael Jones
We decided to make this change.
-
assigned issue to
-
reporter
- changed status to resolved
Fixed
#785- Enabled scope values to be used to request Claims when using the "response_type" value "id_token" (for which no Access Token is issued)→ <<cset 0f0b7d520095>>
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Messages
- Milestone
- Implementer's Draft
- Version
- –
- Votes
- 0
- Watchers
- 0
This looks like a useful and intuitive shortcut for specifying that the claims should go into the id_token. Any side-effects or implications that may speak against this?