New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JWT Profile Grant: return id_token if openid scope is set #587
Comments
Furthermore, it would be desirable to have a Reason: This would allow to use the same token refresh mechanism (as is used for "auth code" grant type) in a client application. |
@akaegi we did discuss this. But as the JWT profile grant already works without user interaction, there is no real |
I understand your reasoning @muhlemmer. However it produces more code on client side because token renewal has to be implemented manually. Otherwise this can be handled by most libraries that automatically renew access tokens based based on the "refresh token grant". |
I also understand your reasoning. However, we enforce the grant type on the token endpoint by OIDC client config. For Currently this issue discusses returning an ID token. We estimated this to be an easy fix that takes us less than a day, hence we categorized it as "Small issue". Adding refresh token functionality to this issue won't fit that definition anymore by the above reasoning. Hence, we will probably not do it now. I suggest you open a separate issue / feature request which can be estimated independently. |
zitadel/zitadel#7822 would fix this |
It would fix it only for zitadel through the custom implementation of the |
Although JWT Profile Authorization is an Oauth2-only extension (there is no mention in the OIDC standard) it would be useful if we return an ID Token is the requested scope is set to
openid
. This is to have a compatible result with the rest of the toolkit, regardless of the method of authentication flow that is chosen.Acceptance criteria
openid
is set, an ID Token to be returned to the client on JWT Profile Grant.The text was updated successfully, but these errors were encountered: