OAuth2 request_type="code" scope="openid ..." is spuriously validating id_token

[paul-hicks-mahana]

I'm getting a validation error with a response from a plain OAuth2 (non-OIDC) AS. The request_type is "code" and I have the "openid" scope included. Line 43 of ResponseValidator is validating based on the openid scope, and part of that validation is to check that id_token is a valid JWT.

However, as per the example in the specs, the id_token response is mandatory only for request_type "id_token": https://openid.net/specs/openid-connect-core-1_0.html#codeExample

I believe the validation should consider whether or not the request_type is "code"; if it is, it should only validate the format of id_token if it exists. It should not fail validation if it does not exist.

[pamapa]

Which Idp are you using? Typically when you set openid you get an id_token.

Why do you need to set scope=openid anyway when you do not need the id_token anyway?

[paul-hicks-mahana]

Which Idp are you using? Typically when you set openid you get an id_token.

I'm using a service called WorkflowMax (oauth.workflowmax2.com).

Why do you need to set scope=openid anyway when you do not need the id_token anyway?

I'm learning as I go :) All the examples on WorkflowMax's site include the openid scope, so I used it. I have now removed that scope and everything seems to be working. There are some oddities that may be because I've removed the openid scope, but I'm still learning in this area, so I can't yet say for sure.

That said, the example "A.1" on the openid site that I linked to in the original question is pretty clear: the openid scope is in the authorization request and id_token is not in the response. So it does seem to be completely valid to not have id_token included in the response.