1. Nat Sakimura
  2. connect
  3. Issues
Issue #323 resolved

Messages - Why must the Authorization Server always return an Access Token ?

Michael Jones
created an issue

Messages Overview says "3. The Authorization Server responds with access_token, id_token, and a few other variables." Why can't it sometimes reply with just an ID Token if that's all that's needed for the scenario?

Similarly, why aren't steps 4 (The Client sends a request with the access_token to the UserInfo endpoint) and 5 (UserInfo endpoint returns the additional user information supported by the Resource Server) OPTIONAL? Claims about the End-User aren't needed in all cases.

We should make use of the Access Token and UserInfo Endpoint optional in the case that no UserInfo claims are needed.

Comments (9)

  1. Justin Richer

    If you don't want to return the access token in the flow, then you're going to have to define the server's behavior in the case of the client asking for *just* idtoken in the return_type. Everything else MUST return either an access token or a code to get an access token in order to be an OAuth2 endpoint.

  2. Log in to comment