[Openid-specs-ab] Other grant types and scope openid

Torsten Lodderstedt torsten at lodderstedt.net
Mon Jul 30 06:17:17 UTC 2012


Hi all,

what is the expected behavior in case a client requests the scope 
"openid" with a grant type other than code or token? For example, an app 
could request it at the token endpoint using "Resource Owner Password 
Credentials". Given the recent discussion on refresh tokens and id 
tokens, the id token concept seems to be tight to browser sessions. So I 
don't see a need to return an id token to apps in cases where no browser 
session is involved.

Comments?

regards,
Torsten.


More information about the Openid-specs-ab mailing list