language in token response may appears to override iidcc
10.1.1. Successful Token Response says:
After receiving and validating a valid and authorized Token Request from the Client and when the end-user associated with the supplied auth_req_id has been authenticated and has authorized the request, the OpenID Provider returns a successful response that includes an ID Token, an Access Token and optionally a Refresh Token as specified in Section 3.1.3.3 of [OpenID.Core].
I'm not sure if it's deliberate, but this implies to me that the scope parameter (as defined in https://tools.ietf.org/html/rfc6749#section-5.1 ) cannot be returned.
Comments (6)
-
-
- changed milestone to CIBA Post-Implementer's Draft
-
reporter The simplest change would be :
the OpenID Provider returns a successful response as specified in Section 3.1.3.3 of [OpenID.Core].
(The issue in the current language is it’s not clear if the 3.1.3.3 language refers to the whole response or just the refresh token.)
-
- changed milestone to CIBA Implementer's Draft
-
- changed status to resolved
afc5e6c goes with the simplest change as suggested
-
reporter Looks good to me - thanks Brian!
- Log in to comment
This isn't deliberate. Are you sure it could be misread the way you are saying?
The language in OIDC 3.1.3.3 is:
I'm not sure how we could word it differently? But open to suggestions