[Openid-specs-ab] id_token in token refresh response

John Bradley ve7jtb at ve7jtb.com
Thu Oct 13 20:03:58 UTC 2011


We had the id_token as a required response parameter from the token endpoint.

I changed Standard 5.2 to be consistent with scope being optional on an access token refresh.
In OAuth if you omit the parameter the default is the scopes that were originally requested.

If you want to down scope you include a subset of the scopes originally requested.

So if you only wanted to refresh the access token for the user_info endpoint you would send:
scope=profile

That would only return a access token.

In lots of cases the user may no longer be logged in when you are refreshing a token, the token may also have other scopes attached.

Let me know if people think the id_token should always be provided from the token endpoint on refresh.

You still get it if you include openid in the scope or don't include the scope as openid is always asked for in the authorization request 

John B.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4767 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20111013/2382527a/attachment.p7s>


More information about the Openid-specs-ab mailing list