Question about
https://issues.jboss.org/browse/KEYCLOAK-2351 . Should we
allow response_type=token ?
Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit
nor hybrid flow to use response_type=token alone without "id_token" or
"code" [2] [3] .
I am fine with support response_type=token, however doesn't we break
OpenID Connect specs then? Or should we have option (either on/off flag
or list of valid response_type combinations) in configuration to specify
whether it's allowed or not?
[1]
https://tools.ietf.org/html/rfc6749#section-4.2.1
[2]
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
[3]
http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
Marek