Messages 2.2.3 id_token MUST NOT be returned if the grant_type is not authorization_code

Issue #787 resolved
John Bradley created an issue

We should relax this to allow id_tokens to be returned for refresh or assertions.

The id_token for refresh tokens is the one that was for the session that generated the refresh token.

Comments (4)

  1. Brian Campbell

    What's motivating wanting this change?

    Also, associated a web session with a refresh token is going to be difficult or impossible for some implementations.

  2. Former user Account Deleted

    To me, the id_token is always associated with the front end session, and should NOT be refreshed with the refresh token.

  3. Log in to comment