Messages - How is id_token returned when not accompanied by a code or token?

Issue #331 duplicate
Michael Jones created an issue

The "openid" scope definition currently includes these rules for returning an id_token: "The openid value also requests that the ID Token associated with the authentication session be returned. If the response_type includes token, the ID Token is returned in the Authorization Response along with the Access Token. If the response_type includes code, the ID Token is returned as part of the Token endpoint response."

These instructions should also describe how the id_token is returned when not accompanied by a code or token.

Also, this is the wrong place to put these detailed instructions. It should be moved out of the "openid" scope definition and into normative text in a more logical place.

Comments (5)

  1. Nat Sakimura

    I have a question:

    [Q1] If scope does not include openid, should the server return error if response_type=token%20id_token ?

    response_type is apparently a parameter that signals what token (code, access_token, etc.) the client wants from the Authorization EP. (I think OAuth 2.0 should define it like this. Currently, it has no semantics and just describes the behavior, which is causing a confusion.)

    The logical way I think is to require scope=openid to be specified to return id_token (because otherwise the semantics of id_token is undefined).

    Then, it follows that:

                  <t hangText="response_type">A space character(%20) delimited, 
    			  case sensitive list of string values that tells  
    			  what response the Client desires from the Authorization Endpoint. 
                  Acceptable values include <spanx
                  style="verb">code</spanx>, <spanx style="verb">token</spanx>, and
                  <spanx style="verb">id_token</spanx>.
                  The value MUST include <spanx style="verb">code</spanx> for
                  requesting an Authorization Code, <spanx style="verb">token</spanx>
                  for requesting an Access Token, and <spanx 
                  style="verb">id_token</spanx> for requesting an ID Token.</t>


                  <t hangText="scope">A space character (%20) delimited, case sensitive list of
                  string values. The values specify an additive list of Claims
                  that are returned by the UserInfo Endpoint. The following values
                  are defined:<list style="hanging">
                      <t hangText="openid">REQUIRED. Informs the Authorization
                      Server that the Client is making an OpenID Connect request. If the
                      <spanx style="verb">openid</spanx> scope is not present,
                      the request MUST NOT be treated as an OpenID Connect request 
                     and MUST NOT return id_token. </t>
  2. Log in to comment