Token endpoint should only emit ID token when scope contains "openid"
Concerned version
Version: 2.0.12
Summary
Use case 1:
- Configure resource owner password grant and allow refresh tokens
- Request an access token without "openid" in the scope
- ID token is ommited from response => GOOD
- refresh the access token
- ID token is included in refresh response => BAD
Use case 2:
- Configure resource owner password grant and allow refresh tokens
- Request an access token with "openid" in the scope
- ID token is ommited from response => BAD
- refresh the access token
- ID token is included in refresh response => GOOD