<div dir="ltr"><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)">Hello,</span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<span style="background:rgb(240,240,240)">I am going through the following website:</span></span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
</span><a href="https://openid.net/specs/openid-connect-core-1_0.html" target="_blank" style="color:rgb(5,99,193)"><span style="font-family:Helvetica,sans-serif;color:rgb(17,85,204);background:rgb(240,240,240)">https://openid.net/specs/openid-connect-core-1_0.html</span></a><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<br>
<span style="background:rgb(240,240,240)">My query relates to the Hybrid Flow
Authentication.</span><br>
<br>
<b><span style="background:rgb(240,240,240)">Section 3.3.2.5 Successful Authentication
Response states:</span></b><span style="background:rgb(240,240,240)"></span></span></p>

<p class="MsoNormal" style="margin:0cm 0cm 12pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<span style="background:rgb(240,240,240)">"code</span><br>
<span style="background:rgb(240,240,240)">Authorization Code. This is always returned
when using the Hybrid Flow."</span><br>
<br>
<span style="background:rgb(240,240,240)"></span></span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)">section 3.3.2.8. Authentication Response
Validation, clause 5 states:</span></b></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)"> </span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)">"Follow the Authorization Code validation rules in
Section 3.3.2.10 when the response_type value used is <b>code id_token</b> or <b>code
id_token token</b>."</span><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<br>
<span style="background:rgb(240,240,240)">Shouldn't clause 5 mention all 3 hybrid flow
response types i.e</span><br>
<span style="background:rgb(240,240,240)">code id_token, code id_token token <b>AND CODE
TOKEN</b>?</span><br>
<br>
<span style="background:rgb(240,240,240)">Please advise.</span><br>
<br>
<span style="background:rgb(240,240,240)">Rgds</span><br>
<span style="background:rgb(240,240,240)">Nughmman</span></span></p></div>