This does not seem to work with OpenID Connect. If I change the response type to “code Id_token” I see the claims on the id_token. However, a call to /token never returns any “scope dependant claims” as outlined here in either the id_token or access token.
This chart (see image at bottom) explains when claims are available based on the response types requests, and in no combination with “code” can you get claims, except from the id_token returned from the authorization request.
The point of using an authorization code, is so that the access token is never accessible to the user (for security and MITM attacks). Using a response type of “code id_token” forces a form_post and the id_token posted from an auto submitted page in the user browser (the “loading…” page) back to the original web site. The exact thing I’m trying to prevent.
With code only, I can’t get the claims from the token returned from /token and I can’t get the claims from the userinfo endpoint either. Just to be clear, the “Token Preview” shows all the claims under id_token for the Grant Type “Authorization Code”. I have tried both “Always” and “Userinfo / id_token request” for the include in token type, and have tried with “Any scope” and specific scopes.
I did try a response type of “code id_token token” thinking I could use that access token to call userinfo, but the server returned an error: “The response type is not supported by the authorization server. Configured response types: [code, id_token]” (this is more FYI than anything else, as I only want code for the response type).