Basic - 3.3. Check Session Endpoint MAY be called or MUST be called?

Issue #87 resolved
hideki nara
created an issue

It's not quite clear if RP have to call the OP's Check Session Endpoint or not from Basic's description. ( Message or Standard describes clearly ?)

While 4.2 says "Clients MAY send requests with the following parameters to the UserInfo endpoint to obtain further information about the user."

Comments (2)

  1. John Bradley

    In Basic we are making the assumption that they are not directly inspecting the token.

    So it should be a MUST verify the id_token using the check session endpoint.

  2. Log in to comment