I did a bit more research regarding
this. OpenID Connect doesn't explicitly prevent that
"response_type=token" must not be used. There is just this
sentence in the specs:
NOTE: While OAuth 2.0 also defines the token
Type value for the Implicit Flow, OpenID Connect does not use this
Response Type, since no ID Token would be returned.
So to be compliant with pure OAuth 2 clients (like swagger.ui) ,
which don't know about "id_token" response_type, I actually
suggest to support response_type=token for clients with enabled
implicit flow. I've sent PR for this
. Let me know if
you think that we shouldn't merge it.
On 26/01/16 08:44, Stian Thorgersen wrote:
If OpenID Connect prevents response_type=token,
then no. We should be OpenID Connect compliant.
Just add this to the issue and close it as rejected.