You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm getting a validation error with a response from a plain OAuth2 (non-OIDC) AS. The request_type is "code" and I have the "openid" scope included. Line 43 of ResponseValidator is validating based on the openid scope, and part of that validation is to check that id_token is a valid JWT.
I believe the validation should consider whether or not the request_type is "code"; if it is, it should only validate the format of id_token if it exists. It should not fail validation if it does not exist.
The text was updated successfully, but these errors were encountered:
Which Idp are you using? Typically when you set openid you get an id_token.
I'm using a service called WorkflowMax (oauth.workflowmax2.com).
Why do you need to set scope=openid anyway when you do not need the id_token anyway?
I'm learning as I go :) All the examples on WorkflowMax's site include the openid scope, so I used it.
I have now removed that scope and everything seems to be working. There are some oddities that may be because I've removed the openid scope, but I'm still learning in this area, so I can't yet say for sure.
That said, the example "A.1" on the openid site that I linked to in the original question is pretty clear: the openid scope is in the authorization request and id_token is not in the response. So it does seem to be completely valid to not have id_token included in the response.
I'm getting a validation error with a response from a plain OAuth2 (non-OIDC) AS. The request_type is "code" and I have the "openid" scope included. Line 43 of ResponseValidator is validating based on the openid scope, and part of that validation is to check that id_token is a valid JWT.
However, as per the example in the specs, the id_token response is mandatory only for request_type "id_token":
https://openid.net/specs/openid-connect-core-1_0.html#codeExample
I believe the validation should consider whether or not the request_type is "code"; if it is, it should only validate the format of id_token if it exists. It should not fail validation if it does not exist.
The text was updated successfully, but these errors were encountered: