[Openid-specs-ab] [openid/connect] Messages 2.2.3 "Access Token Response" (issue #557)

Michael Jones issues-reply at bitbucket.org
Fri Mar 23 00:42:30 UTC 2012

--- you can reply above this line ---

New issue 557: Messages 2.2.3 "Access Token Response"

Michael Jones / mbj on Fri, 23 Mar 2012 01:42:30 +0100:

  §2.2.3 "Access Token Response" of Messages-08* states that the "id_token MUST NOT be returned if the grant_type is not authorization_code."  However, §3.2.1 "Refresh Token Response" of
Standard-08** has weaker normative language stating only that, "it SHOULD NOT return id_token."  Then, though non-normative, the example in that section of Standard seems to contradict both statements by showing an id_token being returned in response to a refresh token grant type request.

Is there some subtle reason for this that I'm not seeing?

If not, I'd suggest changing the SHOULD NOT in Standard §3.2.1 to a MUST NOT (or removing "except that it SHOULD NOT return id_token" text
entirely) and removing the id_token from the JSON response in the example.


Responsible: mbj

This is an issue notification from bitbucket.org. You are receiving
this either because you are the owner of the issue, or you are
following the issue.

More information about the Openid-specs-ab mailing list