If OpenID Connect prevents response_type=token, then no. We should be OpenID Connect compliant.

Just add this to the issue and close it as rejected.

On 25 January 2016 at 21:54, Marek Posolda <mposolda@redhat.com> wrote:
Question about https://issues.jboss.org/browse/KEYCLOAK-2351 . Should we
allow response_type=token ?

Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit
nor hybrid flow to use response_type=token alone without "id_token" or
"code" [2] [3] .

I am fine with support response_type=token, however doesn't we break
OpenID Connect specs then? Or should we have option (either on/off flag
or list of valid response_type combinations) in configuration to specify
whether it's allowed or not?

[1] https://tools.ietf.org/html/rfc6749#section-4.2.1
[2] http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
[3] http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest


keycloak-dev mailing list