- edited description
offline_access and "code token id_token"?
http://openid.net/specs/openid-connect-messages-1_0-16.html#OfflineAccess has "MUST ignore the offline_access request if the Client is not requesting a response_type of code or code id_token. "
but what about "code token id_token"?
Might it be better to say something like 'ignore the offline_access request if the Client is not requesting a response_type that would result in a code being returned'?
Comments (4)
-
reporter -
- changed milestone to Implementer's Draft
-
assigned issue to
This is another case of not precluding a legal response_type value. We will say something like offline access can only be granted for access tokens returned from the token endpoint.
-
+1 to Mike's wording. This is a much better way to say it.
I think in the case where the response_type is "code token id_token", the access_token returned in the response from the /authorization endpoint would NOT contain the offline_access scope while the access token returned from the /token endpoint would. This is consistent with Mike's wording.
-
- changed status to resolved
Fixed
#826- Clarified "response_type" values for which an "offline_access" request must be ignored.→ <<cset b1ab4262de4a>>
- Log in to comment