How can I ensure that a client cannot ask for the ID Token? How can I revoke its access to the openid scope?

eloi · April 27, 2024, 1:48pm

Hi there

I want to restrict the access to a client to authorize users, not to authenticate them.
In other words, I want to allow the client to ask for an access token (including offline access) but not give it the option to ask for the ID token.

My educated guess is that I should revoke access to the scope openid, but I do not know if this is possible or if I’m taking the wrong direction.

I would appreciate any advice!
Thank you all

Topic		Replies	Views
Open ID Connect default scope Configuring the server authentication	11	6323	October 20, 2022
Unable to return id_token from /token endpoint Getting advice oidc	0	357	January 7, 2023
Creating an authorization policy based on client scopes Securing applications oidc	0	652	September 11, 2020
Keycloak External IdP with dynamic scopes Getting advice authentication , oidc	4	1507	October 31, 2023
Dynamic Client registration with Token Exchange	6	1009	October 3, 2021

How can I ensure that a client cannot ask for the ID Token? How can I revoke its access to the openid scope?

Related Topics