[Openid-specs-ab] Multiple response types

[Roland Hedberg]

Hi!

I have a bit of a problem getting my head around multiple response types and what it means.

If the client specifies "code token" or for that matter "code id_token token" as response types in an authorization request.

Is this to be regarded as an implicit flow, code flow or neither ?

Assuming it is a 'code flow'-like flow then the client should be able to use the authorization code received to get a token from the token endpoint.

What is the relationship between the token information returned in the redirect URI and the response to the access token request ?
Are they expected to be the same except for refresh_token which may appear in the access token response?

By the way, in the examples in 4.3.4.1 access_token is wrongly named token.

-- Roland