Messages 2.2.3 id_token MUST NOT be returned if the grant_type is not authorization_code
Issue #787
resolved
We should relax this to allow id_tokens to be returned for refresh or assertions.
The id_token for refresh tokens is the one that was for the session that generated the refresh token.
Comments (4)
-
-
Account Deleted To me, the id_token is always associated with the front end session, and should NOT be refreshed with the refresh token.
-
- changed milestone to Implementer's Draft
- changed component to Messages
-
assigned issue to
We can say that the id_token MUST be returned when the grant_type is authorization_code and MAY be returned for other grant_types.
People will think about security considerations.
-
- changed status to resolved
Fixed
#787- Don't prohibit returning an ID Token from the Token Endpoint when grant types other than "authorization_code" are used.→ <<cset 97d3f21a394e>>
- Log in to comment
What's motivating wanting this change?
Also, associated a web session with a refresh token is going to be difficult or impossible for some implementations.