There is a minor correction. Thanks Asela for pointing. According to [1] 3.2.2.10. ID Token, if response_type value is " id_token token" then presenting at_hash value in OIDC ID Token is required. If response type value is "id_token" at_hash value is not required
[1] http://openid.net/specs/openid-connect-core-1_0.html#ImplicitIDToken On Tue, Jan 5, 2016 at 5:13 PM, Gayan Gunawardana <[email protected]> wrote: > Hi All, > > According to [1] when we generate OIDC ID Token at_hash value should be > included only for Authorization Code grant type. According to current > implementation at_hash value is included in both Authorization Code grant > type generated ID Tokens and Implicit grant type generated ID Tokens. Shall > we remove at_hash value from Implicit grant type generated ID Tokens ? > > WDYT ? > > [1] http://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
