[Openid-specs-ab] inconsistent treatment of id_token in access token response?

Brian Campbell bcampbell at pingidentity.com
Wed Mar 21 21:17:04 UTC 2012

§2.2.3 "Access Token Response" of Messages-08* states that the
"id_token MUST NOT be returned if the grant_type is not
authorization_code."  However, §3.2.1 "Refresh Token Response" of
Standard-08** has weaker normative language stating only that, "it
SHOULD NOT return id_token."  Then, though non-normative, the example
in that section of Standard seems to contradict both statements by
showing an id_token being returned in response to a refresh token
grant type request.

Is there some subtle reason for this that I'm not seeing?

If not, I'd suggest changing the SHOULD NOT in Standard §3.2.1 to a
MUST NOT (or removing "except that it SHOULD NOT return id_token" text
entirely) and removing the id_token from the JSON response in the


* http://openid.bitbucket.org/openid-connect-messages-1_0.html#access_token_response
** http://openid.bitbucket.org/openid-connect-standard-1_0.html#anchor13

More information about the Openid-specs-ab mailing list