Is it possible for /token endpoint to just return id_token and not access_token in case of authorization code flow? I could not find anything mentioned around this in OIDC spec the way I read it. I would appreciate and pointers in documentation around this.
According to section 3.1.3.3 in the spec it says
After receiving and validating a valid and authorized Token Request from the Client, the Authorization Server returns a successful response that includes an ID Token and an Access Token.
So I guess you always gets both, but its up to you to ignore the tokens you don't care about.