Per OIDC core specs, the "scope" is REQUIRED parameter in AuthorizationEndpoint request. Specs mentions this in 22.214.171.124 :
So my understanding is (also per some other sections), that OIDC request must always have "scope=openid" , otherwise it's just OAuth2 request.
Hence what we should likely do is:
- Add "scope=openid" to be always used in our adapters by default
- Remove IDToken from the auth-server response if "scope=openid" is not used as then it's not OIDC request.
For the second scenario, we will likely first need to document and then remove some releases later as there is potential issue with backwards compatibility. Especially scenario like:
- Someone uses KC auth-server 2.0 but with KC adapter 1.9
- Older adapter won't send "scope=openid" in the request
- KC server won't send IDToken (new behaviour)
- People complain "Hey, I've upgraded my KC server and now I can't see IDToken in my app"