[Openid-specs-ab] inconsistent treatment of id_token in access token response?
bcampbell at pingidentity.com
Wed Mar 21 21:17:04 UTC 2012
§2.2.3 "Access Token Response" of Messages-08* states that the
"id_token MUST NOT be returned if the grant_type is not
authorization_code." However, §3.2.1 "Refresh Token Response" of
Standard-08** has weaker normative language stating only that, "it
SHOULD NOT return id_token." Then, though non-normative, the example
in that section of Standard seems to contradict both statements by
showing an id_token being returned in response to a refresh token
grant type request.
Is there some subtle reason for this that I'm not seeing?
If not, I'd suggest changing the SHOULD NOT in Standard §3.2.1 to a
MUST NOT (or removing "except that it SHOULD NOT return id_token" text
entirely) and removing the id_token from the JSON response in the
More information about the Openid-specs-ab