OAuth2Request originalAuthRequest = authentication.getOAuth2Request();
    String clientId = originalAuthRequest.getClientId();
    ClientDetailsEntity client = clientService.loadClientByClientId(clientId);
    JWTClaimsSet claims = new JWTClaimsSet();
    claims.setAudience(Lists.newArrayList(clientId));
    claims.setIssuer(configBean.getIssuer());
    claims.setIssueTime(new Date());
    claims.setExpirationTime(token.getExpiration());
    claims.setJWTID(UUID.randomUUID().toString()); // set a random NONCE in the middle of it
    JWSAlgorithm signingAlg = jwtService.getDefaultSigningAlgorithm();
    SignedJWT signed = new SignedJWT(new JWSHeader(signingAlg), claims);
    jwtService.signJwt(signed);
    token.setJwt(signed);
    /**
     * Authorization request scope MUST include "openid" in OIDC, but access token request
     * may or may not include the scope parameter. As long as the AuthorizationRequest
     * has the proper scope, we can consider this a valid OpenID Connect request. Otherwise,
     * we consider it to be a vanilla OAuth2 request.
     * 
     * Also, there must be a user authentication involved in the request for it to be considered
     * OIDC and not OAuth, so we check for that as well.
     */
    if (originalAuthRequest.getScope().contains("openid")
        && !authentication.isClientOnly()) {
      String username = authentication.getName();
      UserInfo userInfo = userInfoService.getByUsernameAndClientId(username, clientId);
      if (userInfo != null) {
        OAuth2AccessTokenEntity idTokenEntity = connectTokenService.createIdToken(client,
            originalAuthRequest, claims.getIssueTime(),
            userInfo.getSub(), token);
        // attach the id token to the parent access token
        token.setIdToken(idTokenEntity);
      } else {