JWT Profile Grant: return id_token if openid scope is set #587
Comments
|
Furthermore, it would be desirable to have a Reason: This would allow to use the same token refresh mechanism (as is used for "auth code" grant type) in a client application. |
|
@akaegi we did discuss this. But as the JWT profile grant already works without user interaction, there is no real |
|
I understand your reasoning @muhlemmer. However it produces more code on client side because token renewal has to be implemented manually. Otherwise this can be handled by most libraries that automatically renew access tokens based based on the "refresh token grant". |
|
I also understand your reasoning. However, we enforce the grant type on the token endpoint by OIDC client config. For Currently this issue discusses returning an ID token. We estimated this to be an easy fix that takes us less than a day, hence we categorized it as "Small issue". Adding refresh token functionality to this issue won't fit that definition anymore by the above reasoning. Hence, we will probably not do it now. I suggest you open a separate issue / feature request which can be estimated independently. |
|
zitadel/zitadel#7822 would fix this |
|
It would fix it only for zitadel through the custom implementation of the |
Although JWT Profile Authorization is an Oauth2-only extension (there is no mention in the OIDC standard) it would be useful if we return an ID Token is the requested scope is set to
openid. This is to have a compatible result with the rest of the toolkit, regardless of the method of authentication flow that is chosen.Acceptance criteria
openidis set, an ID Token to be returned to the client on JWT Profile Grant.The text was updated successfully, but these errors were encountered: