There is a misbehaving OpenID Connect "compatible" iDP (it shall remain nameless for now) - it throws an error when using scope openid and any response_type that includes id_token. That is surely a bug which has been reported.
That same iDP also returns the id_token in the implicit flow when the scope includes openid and the response_type is simply "token". This messes up the widely used oidc-client npm package, which reports an error "Not expecting id_token in response" - which, according to the OIDC spec, is strictly, correct
But this has brought up an interesting question:
Given the basic premise from section 1 of the OIDC spec:
OpenID Connect implements authentication as an extension to the OAuth 2.0 authorization process. Use of this extension is requested by Clients by including the openid scope value in the Authorization Request.
and that section 3.2.2.1 says
NOTE: While OAuth 2.0 also defines the token Response Type value for the Implicit Flow, OpenID Connect does not use this Response Type, since no ID Token would be returned.
should it therefore be an error to use the two together? Or should the fact that openid is in the scope cause the implementation to "add" id_token to the response_type of the implicit flow by default?
