Basic - 3.3. Check Session Endpoint MAY be called or MUST be called?
Issue #87
resolved
It's not quite clear if RP have to call the OP's Check Session Endpoint or not from Basic's description. ( Message or Standard describes clearly ?)
While 4.2 says "Clients MAY send requests with the following parameters to the UserInfo endpoint to obtain further information about the user."
Comments (2)
-
-
- changed status to resolved
fixes
#87 - Log in to comment
In Basic we are making the assumption that they are not directly inspecting the token.
So it should be a MUST verify the id_token using the check session endpoint.