<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Hi Dave,<br class=""><br class=""><blockquote type="cite" class="">Am 01.08.2018 um 06:44 schrieb Dave Tonge <<a href="mailto:dave.tonge@momentumft.co.uk" class="">dave.tonge@momentumft.co.uk</a>>:<br class=""><br class=""> I don't think it would make sense for a client to sometimes request a response type of `signed_code` and sometimes request a response type of `code id_token`, as Nat says that seems to be conflating things.<br class=""></blockquote><div class=""><br class=""></div>I agree.<div class=""><br class=""></div><div class="">What about always using the new response type?</div><div class=""><br class=""></div><div class="">For API access authorization, the client would request </div><div class=""><br class=""></div><div class="">GET /authorise?responseType=<b class="">signed_code</b>&<br class="">client_id=s6BhdRkqt3&<br class="">redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&<br class=""><b class="">scope=pis:f0bbf1fd-2857-4e1b-a403-9fd1dc171183</b>&<br class="">state= S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw&<br class="">nonce=n-0S6_WzA2Mj HTTP/1.1<br class="">Host: <a href="http://accounts.example-bank.com" class="">accounts.example-bank.com</a></div><div class=""><br class=""></div><div class="">whereas for identity federation it would just request with another scope value</div><div class=""><br class=""></div><div class="">GET /authorise?responseType=<b class="">signed_code</b>&</div>client_id=s6BhdRkqt3&<br class="">redirect_uri=https%3A%2F%2Fclient%2Eexample%2Ecom%2Fcb&<br class=""><b class="">scope=openid%20email%20profile</b>&<br class="">state= S8NJ7uqk5fY4EjNvP_G_FtyJu6pUsvH9jsYni9dMAJw&<br class="">nonce=n-0S6_WzA2Mj HTTP/1.1<br class="">Host: <a href="http://accounts.example-bank.com" class="">accounts.example-bank.com</a><div class=""><br class=""></div><div class="">In the latter example, the client would obtain the ID Token from the token endpoint using the authorization code.</div><div class=""><br class=""></div><div class="">Kind regards,</div><div class="">Torsten. </div><div class=""><br class=""></div><div class="">PS: I created a tracker issue for my proposal.</div></body></html>