<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">+1 <br>
      <br>
      This is a non normative overview text so that level of abstruction
      may work better. <br>
      <br>
      Nat<br>
      <br>
      (2014/01/06 22:09), John Bradley wrote:<br>
    </div>
    <blockquote
      cite="mid:1C42A2FB-EC07-4A40-A3C8-BBE7B7749233@ve7jtb.com"
      type="cite">
      <meta http-equiv="Context-Type" content="text/html;
        charset=iso-8859-1">
      Good point, the code token response returns the id_token from the
      token endpoint.
      <div><br>
      </div>
      <div>So while code is always returned in the fragment, token and
        id_token are optional in the fragment depending on the response
        type.</div>
      <div><br>
      </div>
      <div>That would make "Authorization Server Sends the End-User back
        to the Client with an Authorization Code and, depending on the
        response_type one or both of ID Token , Access Token"</div>
      <div>The most correct.   </div>
      <div><br>
      </div>
      <div>This is a high level flow description so we could say:</div>
      <div>"Authorization Server Sends the End-User back to the Client
        with an Authorization Code and, depending on the response_type
        one or more additional parameters"</div>
      <div>That makes it read better.</div>
      <div><br>
      </div>
      <div>There is always a second parameter otherwise it is a code
        flow.</div>
      <div><br>
      </div>
      <div>John B.</div>
      <div><br>
        <div>
          <div>On Jan 6, 2014, at 2:29 AM, Ryo Ito <<a
              moz-do-not-send="true" href="mailto:ritou.06@gmail.com">ritou.06@gmail.com</a>>
            wrote:</div>
          <br class="Apple-interchange-newline">
          <blockquote type="cite">
            <div dir="ltr">
              <div>> code is actually always returned in successful
                response</div>
              <div>OK</div>
              <div><br>
              </div>
              <div>> + 5. Authorization Server Sends the End-User
                back to the Client with an ID Token, an Authorization
                Code and, if requested, an Access Token.</div>
              <div><br>
              </div>
              <div>At the table of OpenID Connect "response_type"
                Values, hybrid flow may not require ID Token in
                authorization response.</div>
              <div><br>
              </div>
              <div>> | code id_token | Hybrid Flow |</div>
              <div>
                > | code token | Hybrid Flow |</div>
              <div>> | code id_token token | Hybrid Flow |</div>
              <div><br>
              </div>
              <div>Ryo</div>
            </div>
            <div class="gmail_extra"><br>
              <br>
              <div class="gmail_quote">2014/1/5 John Bradley <span
                  dir="ltr"><<a moz-do-not-send="true"
                    href="mailto:ve7jtb@ve7jtb.com" target="_blank">ve7jtb@ve7jtb.com</a>></span><br>
                <blockquote class="gmail_quote">
                  <div>The response types "id_token token" and
                    "id_token" are now covered in implicit.  I think the
                    language was intended to cover the "id_token"
                    response type before refactoring.
                    <div>
                      <br>
                    </div>
                    <div>The current text is not strictly incorrect but
                      is misleading as the Authorization code is always
                      requested in the Hybrid flow.<br>
                      <div><br>
                      </div>
                      <div>Nat and Ryo's proposed change is less
                        confusing and is editorial in my opinion.</div>
                      <div><br>
                      </div>
                      <div>John B.</div>
                      <div>
                        <div class="h5">
                          <div><br>
                          </div>
                          <div>
                            <div>
                              <div>On Jan 5, 2014, at 2:04 AM, Nat
                                Sakimura <<a moz-do-not-send="true"
                                  href="mailto:sakimura@gmail.com"
                                  target="_blank">sakimura@gmail.com</a>>
                                wrote:</div>
                              <br>
                              <blockquote type="cite">
                                <div dir="ltr">Good catch. 
                                  <div>Though, in hybrid flow, code is
                                    actually always returned in
                                    successful response so it would be </div>
                                  <div><br>
                                  </div>
                                  <div>- 5. Authorization Server Sends
                                    the End-User back to the Client with
                                    an ID Token and, if requested, an
                                    Authorization Code and/or Access
                                    Token.<br>
                                  </div>
                                  <div>+ 5. Authorization Server Sends
                                    the End-User back to the Client with
                                    an ID Token, an Authorization Code
                                    and, <span>if requested, an</span> Access Token.</div>
                                  <div><br>
                                  </div>
                                  <div>If it does not return an
                                    authorization code, it is an
                                    implicit flow. </div>
                                </div>
                                <div class="gmail_extra"><br>
                                  <br>
                                  <div class="gmail_quote">2014/1/5 Ryo
                                    Ito <span dir="ltr"><<a
                                        moz-do-not-send="true"
                                        href="mailto:ritou.06@gmail.com"
                                        target="_blank">ritou.06@gmail.com</a>></span><br>
                                    <blockquote class="gmail_quote">
                                      <div dir="ltr">
                                        <div>Hybrid flow includes code
                                          in authorization response.<br>
                                        </div>
                                        <div><br>
                                        </div>
                                        <div>Step 5 should be corrected
                                          as follows.</div>
                                        <div><br>
                                        </div>
                                        <div>- 5. Authorization Server
                                          Sends the End-User back to the
                                          Client with an ID Token and,
                                          if requested, an Authorization
                                          Code and/or Access Token.</div>
                                        <div>+ 5. Authorization Server
                                          Sends the End-User back to the
                                          Client with an Code and, if
                                          requested, an Authorization ID
                                          Token and/or Access Token.</div>
                                        <div><br>
                                        </div>
                                        <div>Thanks,</div>
                                        <div>Ryo.</div>
                                        <span>
                                          <div>
                                            <br>
                                          </div>
                                          -- <br>
                                          ====================<br>
                                          Ryo Ito<br>
                                          Email : <a
                                            moz-do-not-send="true"
                                            href="mailto:ritou.06@gmail.com"
                                            target="_blank">ritou.06@gmail.com</a><br>
                                          ====================
                                        </span></div>
                                      <br>
_______________________________________________<br>
                                      Openid-specs-ab mailing list<br>
                                      <a moz-do-not-send="true"
                                        href="mailto:Openid-specs-ab@lists.openid.net"
                                        target="_blank">Openid-specs-ab@lists.openid.net</a><br>
                                      <a moz-do-not-send="true"
                                        href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
                                        target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
                                      <br>
                                    </blockquote>
                                  </div>
                                  <br>
                                  <br>
                                  <div><br>
                                  </div>
                                  -- <br>
                                  Nat Sakimura (=nat)
                                  <div>Chairman, OpenID Foundation<br>
                                    <a moz-do-not-send="true"
                                      href="http://nat.sakimura.org/"
                                      target="_blank">http://nat.sakimura.org/</a><br>
                                    @_nat_en</div>
                                </div>
_______________________________________________<br>
                                Openid-specs-ab mailing list<br>
                                <a moz-do-not-send="true"
                                  href="mailto:Openid-specs-ab@lists.openid.net"
                                  target="_blank">Openid-specs-ab@lists.openid.net</a><br>
                                <a moz-do-not-send="true"
                                  href="http://lists.openid.net/mailman/listinfo/openid-specs-ab"
                                  target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
                              </blockquote>
                            </div>
                            <br>
                          </div>
                        </div>
                      </div>
                    </div>
                  </div>
                </blockquote>
              </div>
              <br>
              <br>
              <div><br>
              </div>
              -- <br>
              ====================<br>
              Ryo Ito<br>
              Email : <a moz-do-not-send="true"
                href="mailto:ritou.06@gmail.com">ritou.06@gmail.com</a><br>
              ====================
            </div>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-ab@lists.openid.net">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="http://lists.openid.net/mailman/listinfo/openid-specs-ab">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
    </blockquote>
    <br>
    <br>
    <pre class="moz-signature" cols="72">-- 
Nat Sakimura (<a class="moz-txt-link-abbreviated" href="mailto:n-sakimura@nri.co.jp">n-sakimura@nri.co.jp</a>)
Nomura Research Institute, Ltd. 
<a class="moz-txt-link-freetext" href="Tel:+81-3-6274-1412">Tel:+81-3-6274-1412</a> Fax:+81-3-6274-1547

本メールに含まれる情報は機密情報であり、宛先に記載されている方のみに送信することを意図しております。意図された受取人以外の方によるこれらの情報の開示、複製、再配布や転送など一切の利用が禁止されています。誤って本メールを受信された場合は、申し訳ござ&#1235
 6;&#124
14;せんが、送信者までお知らせいただき、受信されたメールを削除していただきますようお願い致します。
PLEASE READ:
The information contained in this e-mail is confidential and intended for the named recipient(s) only.
If you are not an intended recipient of this e-mail, you are hereby notified that any review, dissemination, distribution or duplication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately and delete your copy from your system.
</pre>
  </body>
</html>