[Openid-specs-ab] Response types clarification
ve7jtb at ve7jtb.com
Mon Feb 20 18:48:30 UTC 2012
On 2012-02-20, at 3:30 PM, Torsten Lodderstedt wrote:
> Hi all,
> I'm trying to catch up with the Implementors Draft and need some advice from the group.
> Is it correct that "code" is the only response type, which is delivered to the client via URI query parameter? For all other response types, the response parameters are encoded within the URI fragment.
> Furthermore, is the client always issued an access token _and_ an id_token for scope "openid" and response type "code"?
The response from the Authorization server is code as was asked for.
The Token endpoint includes id_token in it's response as an extra parameter.
So strictly speaking Yes id_token is always issued if the scope is 'openid' (scope is a single value with spaces, so don't say includes) and the response_type is code.
However the response type is code and only code.
The id_token is only returned if code is exchanged at the token endpoint for and access_token and id_token.
So I suppose you could avoid getting id_token by not exchanging code, but I don't think anyone is going to think that is a good idea.
The problem is that response)type only controls what comes back from the Authorization endpoint, and not the token endpoint.
The only option we found was overloading a scope to change the behaviour of the token endpoint to return the extra value.
The token endpoint response is direct, so size is not a big issue. It was simpler to always return it from that endpoint than create a complicated way of asking for it from the token endpoint.
Worst case the response is a bit bigger, but the client ignores the extra parameter.
> thanks in advance,
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4767 bytes
Desc: not available
More information about the Openid-specs-ab