<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">I did a bit more research regarding
this. OpenID Connect doesn't explicitly prevent that
"response_type=token" must not be used. There is just this
sentence in the specs:<br>
NOTE: While OAuth 2.0 also defines the <tt>token</tt> Response
Type value for the Implicit Flow, OpenID Connect does not use this
Response Type, since no ID Token would be returned. <br>
<br>
So to be compliant with pure OAuth 2 clients (like swagger.ui) ,
which don't know about "id_token" response_type, I actually
suggest to support response_type=token for clients with enabled
implicit flow. I've sent PR for this
<a class="moz-txt-link-freetext" href="https://github.com/keycloak/keycloak/pull/2110">https://github.com/keycloak/keycloak/pull/2110</a> . Let me know if
you think that we shouldn't merge it.<br>
<br>
Marek<br>
<br>
On 26/01/16 08:44, Stian Thorgersen wrote:<br>
</div>
<blockquote
cite="mid:CAJgngAeYQ8nF0M+DKFr0_=-HsQKit1Fc-UZLKOw7tWgBNaMNZw@mail.gmail.com"
type="cite">
<div dir="ltr">If OpenID Connect prevents response_type=token,
then no. We should be OpenID Connect compliant.
<div><br>
</div>
<div>Just add this to the issue and close it as rejected.</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On 25 January 2016 at 21:54, Marek
Posolda <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Question
about <a moz-do-not-send="true"
href="https://issues.jboss.org/browse/KEYCLOAK-2351"
rel="noreferrer" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2351</a>
. Should we<br>
allow response_type=token ?<br>
<br>
Basically OAuth2 allows that [1] but OpenID Connect doesn't
for implicit<br>
nor hybrid flow to use response_type=token alone without
"id_token" or<br>
"code" [2] [3] .<br>
<br>
I am fine with support response_type=token, however doesn't
we break<br>
OpenID Connect specs then? Or should we have option (either
on/off flag<br>
or list of valid response_type combinations) in
configuration to specify<br>
whether it's allowed or not?<br>
<br>
[1] <a moz-do-not-send="true"
href="https://tools.ietf.org/html/rfc6749#section-4.2.1"
rel="noreferrer" target="_blank">https://tools.ietf.org/html/rfc6749#section-4.2.1</a><br>
[2] <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest"
rel="noreferrer" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest</a><br>
[3] <a moz-do-not-send="true"
href="http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest"
rel="noreferrer" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest</a><br>
<br>
Marek<br>
<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a moz-do-not-send="true"
href="https://lists.jboss.org/mailman/listinfo/keycloak-dev"
rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>