Messages - Why must the Authorization Server always return an Access Token ?
Messages Overview says "3. The Authorization Server responds with access_token, id_token, and a few other variables." Why can't it sometimes reply with just an ID Token if that's all that's needed for the scenario?
Similarly, why aren't steps 4 (The Client sends a request with the access_token to the UserInfo endpoint) and 5 (UserInfo endpoint returns the additional user information supported by the Resource Server) OPTIONAL? Claims about the End-User aren't needed in all cases.
We should make use of the Access Token and UserInfo Endpoint optional in the case that no UserInfo claims are needed.