[Openid-specs-ab] Id token at token endpoint
torsten at lodderstedt.net
Sat Dec 29 09:30:08 UTC 2012
*** taking this discussion to the list again :-) ***
In my opinion, the id token represents an authentication event and it doesn't matter whether this event took place in a web browser or during a backend call.
Am 29.12.2012 um 00:41 schrieb Brian Campbell <bcampbell at pingidentity.com>:
> So an ID Token is tied (as much as is possible) to a web session at which the end user is present, which is really only achieved though interaction with the authorization endpoint. I'm only guessing/assuming though.
> On Fri, Dec 28, 2012 at 3:08 PM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>> Am 28.12.2012 um 22:56 schrieb Brian Campbell <bcampbell at pingidentity.com>:
>>> I'd always assumed that the intent was to preclude it?
>>> On Fri, Dec 28, 2012 at 1:25 AM, Torsten Lodderstedt <torsten at lodderstedt.net> wrote:
>>>> I just noticed the following statement in messages:
>>>> "Note that id_token MUST NOT be returned if the grant_type is not authorization_code"
>>>> What is the rational for this restriction? I remember discussions not to allow an exchange of refresh tokens for id tokens. That's ok. But I can imagine to provide clients with id tokens based on the password grant type. Do you want to preclude this?
>>>> Openid-specs-ab mailing list
>>>> Openid-specs-ab at lists.openid.net
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab