<div dir="auto">Section 3.3.2.10 requires an ID Token, "code token" cannot use these steps.</div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le jeu. 7 mars 2019 13:54, Nughmman Butt via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)">Hello,</span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<span style="background:rgb(240,240,240)">I am going through the following website:</span></span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
</span><a href="https://openid.net/specs/openid-connect-core-1_0.html" style="color:rgb(5,99,193)" target="_blank" rel="noreferrer"><span style="font-family:Helvetica,sans-serif;color:rgb(17,85,204);background:rgb(240,240,240)">https://openid.net/specs/openid-connect-core-1_0.html</span></a><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<br>
<span style="background:rgb(240,240,240)">My query relates to the Hybrid Flow
Authentication.</span><br>
<br>
<b><span style="background:rgb(240,240,240)">Section 3.3.2.5 Successful Authentication
Response states:</span></b><span style="background:rgb(240,240,240)"></span></span></p>

<p class="MsoNormal" style="margin:0cm 0cm 12pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<span style="background:rgb(240,240,240)">"code</span><br>
<span style="background:rgb(240,240,240)">Authorization Code. This is always returned
when using the Hybrid Flow."</span><br>
<br>
<span style="background:rgb(240,240,240)"></span></span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><b><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)">section 3.3.2.8. Authentication Response
Validation, clause 5 states:</span></b></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)"> </span></p>

<p class="MsoNormal" style="margin:0cm 0cm 0.0001pt;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51);background:rgb(240,240,240)">"Follow the Authorization Code validation rules in
Section 3.3.2.10 when the response_type value used is <b>code id_token</b> or <b>code
id_token token</b>."</span><span style="font-family:Helvetica,sans-serif;color:rgb(51,51,51)"><br>
<br>
<span style="background:rgb(240,240,240)">Shouldn't clause 5 mention all 3 hybrid flow
response types i.e</span><br>
<span style="background:rgb(240,240,240)">code id_token, code id_token token <b>AND CODE
TOKEN</b>?</span><br>
<br>
<span style="background:rgb(240,240,240)">Please advise.</span><br>
<br>
<span style="background:rgb(240,240,240)">Rgds</span><br>
<span style="background:rgb(240,240,240)">Nughmman</span></span></p></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>