Skip to content
GitLab
Closed
Issue created by Maxime Besson@maxbes🔧Maintainer

Token endpoint should only emit ID token when scope contains "openid"

Concerned version

Version: 2.0.12

Summary

Use case 1:

  • Configure resource owner password grant and allow refresh tokens
  • Request an access token without "openid" in the scope
  • ID token is ommited from response => GOOD
  • refresh the access token
  • ID token is included in refresh response => BAD

Use case 2:

  • Configure resource owner password grant and allow refresh tokens
  • Request an access token with "openid" in the scope
  • ID token is ommited from response => BAD
  • refresh the access token
  • ID token is included in refresh response => GOOD