-
assigned issue to
- changed status to open
Messages - 2.2.3 id_token MUST NOT be returned for grant_type=refresh
Issue #540
resolved
Current text goes:
{{{ In addition to the OAuth 2.0 response parameters, the following parameters MUST be included in the response if the Authorization Request scope parameter contains openid: }}} It is not true. If the grant_type=refresh, then it MUST NOT return id_token as the user may not be in presence. It actually should return id_token only when grant_type=authorization_code.
Comments (2)
-
-
reporter - changed status to resolved
Fix
#540. Clarified when id_token is returned from token endoint. - Log in to comment
Nat will make this edit