[Openid-specs-ab] Id token at token endpoint
torsten at lodderstedt.net
Fri Dec 28 08:25:57 UTC 2012
I just noticed the following statement in messages:
"Note that id_token MUST NOT be returned if the grant_type is not authorization_code"
What is the rational for this restriction? I remember discussions not to allow an exchange of refresh tokens for id tokens. That's ok. But I can imagine to provide clients with id tokens based on the password grant type. Do you want to preclude this?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab