[keycloak-dev] Should we allow response_type=token ?

Question about https://issues.jboss.org/browse/KEYCLOAK-2351 . Should we allow response_type=token ? Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit nor hybrid flow to use response_type=token alone without "id_token" or "code" [2] [3] . I am fine with support response_type=token, however doesn't we break OpenID Connect specs then? Or should we have option (either on/off flag or list of valid response_type combinations) in configuration to specify whether it's allowed or not? [1] https://tools.ietf.org/html/rfc6749#section-4.2.1 [2] http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest [3] http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest Marek