[Openid-specs-ab] response_type=code id_token

Nat Sakimura sakimura at gmail.com
Tue Feb 14 08:33:29 UTC 2012

So, in today's WG Call, John explained that it was what FB was doing, and
would probably be simpler for developers.

(It is tracked as https://bitbucket.org/openid/connect/issue/536/ )

I checked with Tatsuya, who is building solutions for our customer and he
said it indeed would be simpler, so that is a good news.

My concern is semantics.

As I understand, *scope* is something that request what is to be returned
overall, and *response_type *is a parameter that request what is to be
returned from the Authorization endpoint response parameters.

So, if response_type=code, code is returned from the Authz EP, and if
response_type=token, token is retunred from the Authz EP. Expanding on this
semantics, *response_type=code id_token* would mean that code and id_token
has to be returned from Authz EP as independent parameters. If *code *is to
be returned as part of the *id_token*, I feel that it should be just*
 id_token*, or a new response type such as*code_in_id_token*.

We can then through away a response_type "code id_token".

For "code token id_token", it would be replaced with "code_in_id_token
token". This is going to reduce the number of permutation.


Nat Sakimura (=nat)
Chairman, OpenID Foundation
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120214/2c81137b/attachment.html>

More information about the Openid-specs-ab mailing list