Skip to content

Add OIDC id_token to token response for openid scope#54

Merged
eswan18 merged 2 commits into
mainfrom
feat/id-token
Mar 30, 2026
Merged

Add OIDC id_token to token response for openid scope#54
eswan18 merged 2 commits into
mainfrom
feat/id-token

Conversation

@eswan18
Copy link
Copy Markdown
Owner

@eswan18 eswan18 commented Mar 30, 2026

Summary

  • Token endpoint now returns an id_token JWT when the openid scope is requested, per OIDC Core Section 3.1.3.3
  • ID token audience is the client_id (not the resource server audience used for access tokens)
  • Includes at_hash (left half of SHA-256 of the access token, per Section 3.1.3.6)
  • Claims are scope-gated: email/email_verified require email scope, preferred_username/given_name/family_name/picture require profile scope
  • Empty claims are omitted via omitempty
  • Not included for flows without openid scope (e.g. client_credentials with admin scopes)

Closes #52

Test plan

  • go build ./... and go vet ./... pass
  • Unit tests: TestGenerateIDToken and TestGenerateIDToken_OmitsEmptyClaims
  • Integration tests: TestTokenResponseIncludesIDToken and TestTokenResponseIDTokenAbsentWithoutOpenID (require Docker)
  • Verify existing OAuth clients still work (id_token is additive, uses omitempty)

🤖 Generated with Claude Code

eswan18 and others added 2 commits March 29, 2026 22:33
@eswan18 @claude
Add OIDC id_token to token response when openid scope is requested
3a2c976 
Per OIDC Core Section 3.1.3.3, the token response must include an
id_token when the openid scope is requested. The ID token is a JWT
with:
- aud = client_id (not the resource server audience)
- at_hash = left half of SHA-256 of the access token (Section 3.1.3.6)
- Scope-gated claims: email/email_verified (email scope),
  preferred_username/given_name/family_name/picture (profile scope)
- Empty claims omitted via omitempty

The id_token is not included for flows without openid scope (e.g.
client_credentials with admin scopes).

Closes #52

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@eswan18 @claude
Fix id_token integration test: aud claim is serialized as array
7632cf1 
The JWT aud claim is serialized as a JSON array ["client_id"], not a
plain string. Updated the assertion to unpack the array first.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@eswan18 eswan18 merged commit 7dd734f into main Mar 30, 2026
1 check passed
@eswan18 eswan18 deleted the feat/id-token branch March 30, 2026 03:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Token response missing id_token for openid scope (OIDC Core requirement)

1 participant

@eswan18