[keycloak-dev] Should we allow response_type=token ?
Stian Thorgersen
sthorger at redhat.com
Tue Jan 26 07:25:27 EST 2016
I'm happy with that, let's merge it
On 26 January 2016 at 13:16, Marek Posolda <mposolda at redhat.com> wrote:
> I did a bit more research regarding this. OpenID Connect doesn't
> explicitly prevent that "response_type=token" must not be used. There is
> just this sentence in the specs:
> NOTE: While OAuth 2.0 also defines the token Response Type value for the
> Implicit Flow, OpenID Connect does not use this Response Type, since no ID
> Token would be returned.
>
> So to be compliant with pure OAuth 2 clients (like swagger.ui) , which
> don't know about "id_token" response_type, I actually suggest to support
> response_type=token for clients with enabled implicit flow. I've sent PR
> for this https://github.com/keycloak/keycloak/pull/2110 . Let me know if
> you think that we shouldn't merge it.
>
> Marek
>
>
> On 26/01/16 08:44, Stian Thorgersen wrote:
>
> If OpenID Connect prevents response_type=token, then no. We should be
> OpenID Connect compliant.
>
> Just add this to the issue and close it as rejected.
>
> On 25 January 2016 at 21:54, Marek Posolda <mposolda at redhat.com> wrote:
>
>> Question about https://issues.jboss.org/browse/KEYCLOAK-2351 . Should we
>> allow response_type=token ?
>>
>> Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit
>> nor hybrid flow to use response_type=token alone without "id_token" or
>> "code" [2] [3] .
>>
>> I am fine with support response_type=token, however doesn't we break
>> OpenID Connect specs then? Or should we have option (either on/off flag
>> or list of valid response_type combinations) in configuration to specify
>> whether it's allowed or not?
>>
>> [1] https://tools.ietf.org/html/rfc6749#section-4.2.1
>> [2]
>> http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
>> [3]
>> http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
>>
>> Marek
>>
>>
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160126/f0e406d5/attachment.html
More information about the keycloak-dev
mailing list