openid / connect / issues / #136 - Basic - 3.2.3. What **openid** scope request.

Issue #136 resolved

hideki nara created an issue 2011-09-29

In draft 13:

"... The openid scope grants the RP access to the user identifier of the authenticated user of the session. ...."

This looks that if I specify openid in scope parameter, id_token will be returned. How about UserInfo ?

Comments (4)

John Bradley
- assigned issue to
  
  John Bradley
Yes If you specify only openid as the scope you get back the id_token containing the userid and other session information. You get back an access token that will not give you any information other than the userid from the user-info endpoint.
- 2011-09-29T20:59:28+00:00
hideki nara reporter
Thank you. I got it.

But Basic requires that `return_type` MUST include "access_token id_token" with "openid" included in `scope`. That means that RP get access rights to user's identifier and user's profile data.

I know this is just another wording thing.
- 2011-09-30T04:16:22+00:00
hideki nara reporter
Otherwise, can End User reject returning access_token but return only id_token when he/she is consented at OP after authentication ?
- 2011-09-30T04:18:41+00:00
John Bradley
- changed status to resolved
Yes the user can decline access to the user-info endpoint.

The client would still get a token, but it would only be good to get the user ID from the endpoint. The OP can also return an error.

Profile data is optional.
- 2011-10-13T21:16:43+00:00
Log in to comment