The relationship between endpoint responses and response_type, scope pair

So it seems there is a little bit of confusion around what needs to be returned from which endpoint among the readers of OpenID Connect specification. It actually is pretty clear if you understand what OAuth 2.0 response_type parameter is, but since it is not spelled out clearly in the OAuth 2.0 spec, people seem to find it confusing.

The response_type parameter, as I understand, indicates what is to be returned from the authorization endpoint.

Thus, if response_type=token, the access token is returned from the authorization endpoint, while if response_type=code, the code is returned. As such, if response_type=code%20token, then both code and access token are to be returned from the authorization endpoint.

Here is a table that describes this relationship in OpenID Connect when scope includes “openid”.

response_type

Authz EP response[1]

Token EP response

When it is to be used

code

  • code
  • access_token
  • id_token
  • (refresh_token)
Used in a conventional web sites where most of the processing are done at the server.

token

  • access_token

N/A

Used primarily when the browser needs to access resources, such as in HTML5 canvas application.

id_token

  • id_token

N/A

Used primarily when the browser application needs to recognize the user.

code id_token

  • code
  • id_token
  • access_token
  • id_token
  • (refresh_token)
Used when the browser needs to personalize the view while only the server needs access to profile and other data.

token id_token

  • access_token
  • id_token
N/A Used when only the browser needs to identify the user and access to the data.

code token id_token

  • access_token
  • code
  • id_token
  • access_token
  • id_token
  • (refresh_token)
Used when both the browser and the server needs to identify the user as well as the access to the data.The access_token returned by the Token EP is used by the server, and the access_token returned by the Authz EP is used by the browser.  It is for those use cases where both the browser and the server need the access_token. By doing so, the brwsr does not need to send the access_token to the server, improving security.

[1] All the AuthZ EP responses are returned in the fragment except for the cases where the response_type included only “code”. See OAuth 2.0 Multiple Response Type Encoding Practices for more details.

It is possible to have response_type=id_token without scope being openid, but in that case, id_token is undefined, and is out of scope of OpenID Connect standard.

So, it is pretty simple. Only the thing to remember is that Authorization Endpoint always returns what was stated in the response_type.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.