<p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:13px;font-family:Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:18px;color:rgb(57,57,57);background-color:rgb(255,255,255)">
So, in today's WG Call, John explained that it was what FB was doing, and would probably be simpler for developers.</p><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:13px;font-family:Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:18px;color:rgb(57,57,57);background-color:rgb(255,255,255)">
(It is tracked as <a href="https://bitbucket.org/openid/connect/issue/536/">https://bitbucket.org/openid/connect/issue/536/</a> )</p><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:13px;font-family:Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:18px;color:rgb(57,57,57);background-color:rgb(255,255,255)">
I checked with Tatsuya, who is building solutions for our customer and he said it indeed would be simpler, so that is a good news.</p><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:13px;font-family:Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:18px;color:rgb(57,57,57);background-color:rgb(255,255,255)">
My concern is semantics.</p><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:13px;font-family:Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:18px;color:rgb(57,57,57);background-color:rgb(255,255,255)">
As I understand, <strong style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:bold;font-style:inherit;font-family:inherit;vertical-align:baseline">scope</strong> is something that request what is to be returned overall, and <strong style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:bold;font-style:inherit;font-family:inherit;vertical-align:baseline">response_type </strong>is a parameter that request what is to be returned from the Authorization endpoint response parameters.</p>
<p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:13px;font-family:Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:18px;color:rgb(57,57,57);background-color:rgb(255,255,255)">
So, if response_type=code, code is returned from the Authz EP, and if response_type=token, token is retunred from the Authz EP. Expanding on this semantics, <strong style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:bold;font-style:inherit;font-family:inherit;vertical-align:baseline">response_type=code id_token</strong> would mean that code and id_token has to be returned from Authz EP as independent parameters. If <strong style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:bold;font-style:inherit;font-family:inherit;vertical-align:baseline">code </strong>is to be returned as part of the <strong style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:bold;font-style:inherit;font-family:inherit;vertical-align:baseline">id_token</strong>, I feel that it should be just<strong style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:bold;font-style:inherit;font-family:inherit;vertical-align:baseline"> id_token</strong>, or a new response type such as<strong style="margin-top:0px;margin-right:0px;margin-bottom:0px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-weight:bold;font-style:inherit;font-family:inherit;vertical-align:baseline">code_in_id_token</strong>.</p>
<p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:13px;font-family:Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:18px;color:rgb(57,57,57);background-color:rgb(255,255,255)">
We can then through away a response_type "code id_token".</p><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:13px;font-family:Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:18px;color:rgb(57,57,57);background-color:rgb(255,255,255)">
For "code token id_token", it would be replaced with "code_in_id_token token". This is going to reduce the number of permutation.</p><p style="margin-top:9px;margin-right:0px;margin-bottom:9px;margin-left:0px;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;border-top-width:0px;border-right-width:0px;border-bottom-width:0px;border-left-width:0px;border-style:initial;border-color:initial;font-size:13px;font-family:Helvetica,Arial,sans-serif;vertical-align:baseline;line-height:18px;color:rgb(57,57,57);background-color:rgb(255,255,255)">
Thoughts? </p><div><br></div>-- <br>Nat Sakimura (=nat)<div>Chairman, OpenID Foundation<br><a href="http://nat.sakimura.org/" target="_blank">http://nat.sakimura.org/</a><br>@_nat_en</div><br>