Messages - Why must the Authorization Server always return an Access Token ?
Issue #323
resolved
Messages Overview says "3. The Authorization Server responds with access_token, id_token, and a few other variables." Why can't it sometimes reply with just an ID Token if that's all that's needed for the scenario?
Similarly, why aren't steps 4 (The Client sends a request with the access_token to the UserInfo endpoint) and 5 (UserInfo endpoint returns the additional user information supported by the Resource Server) OPTIONAL? Claims about the End-User aren't needed in all cases.
We should make use of the Access Token and UserInfo Endpoint optional in the case that no UserInfo claims are needed.
Comments (9)
-
-
Account Deleted
If you don't want to return the access token in the flow, then you're going to have to define the server's behavior in the case of the client asking for *just* idtoken in the return_type. Everything else MUST return either an access token or a code to get an access token in order to be an OAuth2 endpoint.
-
response_type, not return_type, I suppose. I am not sure if that's legal...
-
-
assigned issue to
John Bradley
- changed status to open
-
assigned issue to
-
reporter
Issue
#325was marked as a duplicate of this issue. -
Issue
#336was marked as a duplicate of this issue. -
reporter
Issue
#331was marked as a duplicate of this issue. -
re
#323add id_token response type to sec 2.2.1 -
- changed status to resolved
Fixes
#323add id_token response type to sec 2.3.1 - Log in to comment
access_token is returned as otherwise it will not be OAuth 2.0 compliant.
UserInfo etc is optional. It normatively says MAY, which means optional.