<div dir="ltr">If OpenID Connect prevents response_type=token, then no. We should be OpenID Connect compliant.<div><br></div><div>Just add this to the issue and close it as rejected.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 25 January 2016 at 21:54, Marek Posolda <span dir="ltr"><<a href="mailto:mposolda@redhat.com" target="_blank">mposolda@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Question about <a href="https://issues.jboss.org/browse/KEYCLOAK-2351" rel="noreferrer" target="_blank">https://issues.jboss.org/browse/KEYCLOAK-2351</a> . Should we<br>
allow response_type=token ?<br>
<br>
Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit<br>
nor hybrid flow to use response_type=token alone without "id_token" or<br>
"code" [2] [3] .<br>
<br>
I am fine with support response_type=token, however doesn't we break<br>
OpenID Connect specs then? Or should we have option (either on/off flag<br>
or list of valid response_type combinations) in configuration to specify<br>
whether it's allowed or not?<br>
<br>
[1] <a href="https://tools.ietf.org/html/rfc6749#section-4.2.1" rel="noreferrer" target="_blank">https://tools.ietf.org/html/rfc6749#section-4.2.1</a><br>
[2] <a href="http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest" rel="noreferrer" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest</a><br>
[3] <a href="http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest" rel="noreferrer" target="_blank">http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest</a><br>
<br>
Marek<br>
<br>
<br>
_______________________________________________<br>
keycloak-dev mailing list<br>
<a href="mailto:keycloak-dev@lists.jboss.org">keycloak-dev@lists.jboss.org</a><br>
<a href="https://lists.jboss.org/mailman/listinfo/keycloak-dev" rel="noreferrer" target="_blank">https://lists.jboss.org/mailman/listinfo/keycloak-dev</a><br>
</blockquote></div><br></div>