问题
In Authorization Code Flow, a client normally gets id token and access token in one step, and then passes the access token to the userinfo endpoint to get the actual data in a second step.
In terms of the OpenID Connect, is it possible to combine those steps into one, so one roundtrip from client to OpenID provider suffices?
N.B. The actual content of the Access Token is up to the implementor of an OpenID provider, so in theory I could put the data in there - but that does not seem like good practice, or is it?
回答1:
According to OpenId Connect spec:
ID Tokens MAY contain other Claims.
And the spec also defines a set of standard claims
If id token contains user information claims that you want, you can get these user information claims from the id token directly.
来源:https://stackoverflow.com/questions/36613098/is-it-possible-to-combine-the-get-token-and-get-userinfo-step-into-one