The "openid" scope definition currently includes these rules for returning an id_token: "The openid value also requests that the ID Token associated with the authentication session be returned. If the response_type includes token, the ID Token is returned in the Authorization Response along with the Access Token. If the response_type includes code, the ID Token is returned as part of the Token endpoint response."
These instructions should also describe how the id_token is returned when not accompanied by a code or token.
Also, this is the wrong place to put these detailed instructions. It should be moved out of the "openid" scope definition and into normative text in a more logical place.