[Openid-specs-ab] Id token at token endpoint
Torsten Lodderstedt
torsten at lodderstedt.net
Fri Dec 28 08:25:57 UTC 2012
Hi,
I just noticed the following statement in messages:
"Note that id_token MUST NOT be returned if the grant_type is not authorization_code"
What is the rational for this restriction? I remember discussions not to allow an exchange of refresh tokens for id tokens. That's ok. But I can imagine to provide clients with id tokens based on the password grant type. Do you want to preclude this?
Regards,
Torsten.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121228/917987d3/attachment.html>
More information about the Openid-specs-ab
mailing list