- edited description
offline_access and "code token id_token"?
Issue #826
resolved
http://openid.net/specs/openid-connect-messages-1_0-16.html#OfflineAccess has "MUST ignore the offline_access request if the Client is not requesting a response_type of code or code id_token. "
but what about "code token id_token"?
Might it be better to say something like 'ignore the offline_access request if the Client is not requesting a response_type that would result in a code being returned'?
Comments (4)
-
reporter
-
- changed milestone to Implementer's Draft
-
assigned issue to
Michael Jones
This is another case of not precluding a legal response_type value. We will say something like offline access can only be granted for access tokens returned from the token endpoint.
-
+1 to Mike's wording. This is a much better way to say it.
I think in the case where the response_type is "code token id_token", the access_token returned in the response from the /authorization endpoint would NOT contain the offline_access scope while the access token returned from the /token endpoint would. This is consistent with Mike's wording.
-
- changed status to resolved
Fixed
#826- Clarified "response_type" values for which an "offline_access" request must be ignored.→ <<cset b1ab4262de4a>>
- Log in to comment
- Assignee
- Type
- Priority
- Status
- resolved
- Component
- Messages
- Milestone
- Implementer's Draft
- Version
- –
- Votes
- 0
- Watchers
- 0
