[Openid-specs-ab] Id token at token endpoint

Torsten Lodderstedt torsten at lodderstedt.net
Fri Dec 28 08:25:57 UTC 2012


Hi,

I just noticed the following statement in messages:

"Note that id_token MUST NOT be returned if the grant_type is not authorization_code"

What is the rational for this restriction? I remember discussions not to allow an exchange of refresh tokens for id tokens. That's ok. But I can imagine to provide clients with id tokens based on the password grant type. Do you want to preclude this?

Regards,
Torsten.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20121228/917987d3/attachment.html>


More information about the Openid-specs-ab mailing list