In OIDC, is scope=openid not required for /token call?

0
votes

When I send a /token request followed by an /authorize request for Open Id Connect server, I know it's required to set scope=openid for /authorize call. My question is, is it required for /token call too?

In OIDC spec it says nothing about that.

3.1.3.1. Token Request

A Client makes a Token Request by presenting its Authorization Grant (in the form of an Authorization Code) to the Token Endpoint using the grant_type value authorization_code, as described in Section 4.1.3 of OAuth 2.0 [RFC6749]. If the Client is a Confidential Client, then it MUST authenticate to the Token Endpoint using the authentication method registered for its client_id, as described in Section 9.

The Client sends the parameters to the Token Endpoint using the HTTP POST method and the Form Serialization, per Section 13.2, as described in Section 4.1.3 of OAuth 2.0 [RFC6749].

If that is the case, how does /token endpoint implementation realize if a request is ODIC or OAuth2? How does it know if it should send an id_token or not?

2
oauth-2.0openid-connect

2 Answers

1
votes

The token request is done with a so-called grant that the Client needs to present, typically (and in your case) an Authorization Code. A grant is issued within a certain context and the Authorization Server keeps track of that context.

In your case the Authorization Server would keep track of the fact that the code was issued on an Authorization Request that contained the "openid" scope, and that scope was granted by the user. Thus when the code is redeemed at the Token Endpoint an id_token is included in the response.

0
votes

In OpenID Connect Core 1.0 incorporating errata set 1 Section: 3.1.2.1. Authentication Request

OpenID Connect uses the following OAuth 2.0 request parameters with the Authorization Code Flow:

scope REQUIRED. OpenID Connect requests MUST contain the openid scope value. If the openid scope value is not present, the behavior is entirely unspecified. Other scope values MAY be present. Scope values used that are not understood by an implementation SHOULD be ignored. See Sections 5.4 and 11 for additional scope values defined by this specification.

The "MUST contain the openid scope value" which is the determining factor that this is a OpenID Connect Request.

There is nothing in the token request that is different than OAuth 2.0. The Authentication Request, which is the First call the the Authorization Endpoint, with the scope=openid and the Authorization Code which is returned is the Authorization to obtain the Access Token and the ID Token. As stated in 3.1.3.3. Successful Token Response

After receiving and validating a valid and authorized Token Request from the Client, the Authorization Server returns a successful response that includes an ID Token and an Access Token.