[Openid-specs-ab] Issue #1116: Returning end user claims in id token (openid/connect)
issues-reply at bitbucket.org
Wed Oct 9 08:21:51 UTC 2019
New issue 1116: Returning end user claims in id token
Hi, while reading the docs from one of the certified products for OpenID \([https://www.npmjs.com/package/openid-client\)](https://www.npmjs.com/package/openid-client)) I have seen that:
"[Core 1.0 - Requesting Claims using Scope Values](https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims) defines that claims requested using the scope parameter are only returned from the UserInfo Endpoint unless the response\_type is id\_token"
The exactly part in the specification say:
"The Claims requested by the profile, email, address, and phone scope values are returned from the UserInfo Endpoint, as described in Section 5.3.2, when a response\_type value is used that results in an Access Token being issued. However, when no Access Token is issued \(which is the case for the response\_type value id\_token\), the resulting Claims are returned in the ID Token."
I'm not sure if that statement means "No put end user claims in id token unless response\_type is id\_token"...
So my question is, if i use just “code“ as response type in a request like this:
Then the id token returned in the **/token** endpoint \(when interchange the code\) should have the End-User claims inside \(i mean email and email\_verified\)? or should not contain this claims by specification?
More information about the Openid-specs-ab