-
assigned issue to
Nat Sakimura
- changed status to open
Messages - How is id_token returned when not accompanied by a code or token?
Issue #331
duplicate
The "openid" scope definition currently includes these rules for returning an id_token: "The openid value also requests that the ID Token associated with the authentication session be returned. If the response_type includes token, the ID Token is returned in the Authorization Response along with the Access Token. If the response_type includes code, the ID Token is returned as part of the Token endpoint response."
These instructions should also describe how the id_token is returned when not accompanied by a code or token.
Also, this is the wrong place to put these detailed instructions. It should be moved out of the "openid" scope definition and into normative text in a more logical place.
Comments (5)
-
-
-
assigned issue to
John Bradley
-
assigned issue to
-
- changed status to duplicate
Duplicate of
#322. -
reporter
- changed status to open
-
reporter
- changed status to duplicate
Duplicate of
#323. - Log in to comment
I have a question:
[Q1] If scope does not include openid, should the server return error if response_type=token%20id_token ?
response_type is apparently a parameter that signals what token (code, access_token, etc.) the client wants from the Authorization EP. (I think OAuth 2.0 should define it like this. Currently, it has no semantics and just describes the behavior, which is causing a confusion.)
The logical way I think is to require scope=openid to be specified to return id_token (because otherwise the semantics of id_token is undefined).
Then, it follows that:
<t hangText="response_type">A space character(%20) delimited, case sensitive list of string values that tells what response the Client desires from the Authorization Endpoint. Acceptable values include <spanx style="verb">code</spanx>, <spanx style="verb">token</spanx>, and <spanx style="verb">id_token</spanx>. The value MUST include <spanx style="verb">code</spanx> for requesting an Authorization Code, <spanx style="verb">token</spanx> for requesting an Access Token, and <spanx style="verb">id_token</spanx> for requesting an ID Token.</t>and
<t hangText="scope">A space character (%20) delimited, case sensitive list of string values. The values specify an additive list of Claims that are returned by the UserInfo Endpoint. The following values are defined:<list style="hanging"> <t hangText="openid">REQUIRED. Informs the Authorization Server that the Client is making an OpenID Connect request. If the <spanx style="verb">openid</spanx> scope is not present, the request MUST NOT be treated as an OpenID Connect request and MUST NOT return id_token. </t>