9:54 p.m.
Question about https://issues.jboss.org/browse/KEYCLOAK-2351 . Should we
allow response_type=token ?
Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit
nor hybrid flow to use response_type=token alone without "id_token" or
"code" [2] [3] .
I am fine with support response_type=token, however doesn't we break
OpenID Connect specs then? Or should we have option (either on/off flag
or list of valid response_type combinations) in configuration to specify
whether it's allowed or not?
[1] https://tools.ietf.org/html/rfc6749#section-4.2.1
[2] http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
[3] http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
Marek
8:44 a.m.
If OpenID Connect prevents response_type=token, then no. We should be
OpenID Connect compliant.
Just add this to the issue and close it as rejected.
On 25 January 2016 at 21:54, Marek Posolda <mposolda(a)redhat.com> wrote:
Question about https://issues.jboss.org/browse/KEYCLOAK-2351 . Should
we
allow response_type=token ?
Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit
nor hybrid flow to use response_type=token alone without "id_token" or
"code" [2] [3] .
I am fine with support response_type=token, however doesn't we break
OpenID Connect specs then? Or should we have option (either on/off flag
or list of valid response_type combinations) in configuration to specify
whether it's allowed or not?
[1] https://tools.ietf.org/html/rfc6749#section-4.2.1
[2]
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
[3] http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:16 p.m.
I did a bit more research regarding this. OpenID Connect doesn't
explicitly prevent that "response_type=token" must not be used. There is
just this sentence in the specs:
NOTE: While OAuth 2.0 also defines the token Response Type value for the
Implicit Flow, OpenID Connect does not use this Response Type, since no
ID Token would be returned.
So to be compliant with pure OAuth 2 clients (like swagger.ui) , which
don't know about "id_token" response_type, I actually suggest to support
response_type=token for clients with enabled implicit flow. I've sent PR
for this https://github.com/keycloak/keycloak/pull/2110 . Let me know if
you think that we shouldn't merge it.
Marek
On 26/01/16 08:44, Stian Thorgersen wrote:
If OpenID Connect prevents response_type=token, then no. We should be
OpenID Connect compliant.
Just add this to the issue and close it as rejected.
On 25 January 2016 at 21:54, Marek Posolda <mposolda(a)redhat.com
<mailto:mposolda@redhat.com>> wrote:
Question about https://issues.jboss.org/browse/KEYCLOAK-2351 .
Should we
allow response_type=token ?
Basically OAuth2 allows that [1] but OpenID Connect doesn't for
implicit
nor hybrid flow to use response_type=token alone without "id_token" or
"code" [2] [3] .
I am fine with support response_type=token, however doesn't we break
OpenID Connect specs then? Or should we have option (either on/off
flag
or list of valid response_type combinations) in configuration to
specify
whether it's allowed or not?
[1] https://tools.ietf.org/html/rfc6749#section-4.2.1
[2]
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
[3]
http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
Marek
_______________________________________________
keycloak-dev mailing list
keycloak-dev(a)lists.jboss.org <mailto:keycloak-dev@lists.jboss.org>
https://lists.jboss.org/mailman/listinfo/keycloak-dev
1:25 p.m.
I'm happy with that, let's merge it
On 26 January 2016 at 13:16, Marek Posolda <mposolda(a)redhat.com> wrote:
I did a bit more research regarding this. OpenID Connect doesn't
explicitly prevent that "response_type=token" must not be used. There is
just this sentence in the specs:
NOTE: While OAuth 2.0 also defines the token Response Type value for the
Implicit Flow, OpenID Connect does not use this Response Type, since no ID
Token would be returned.
So to be compliant with pure OAuth 2 clients (like swagger.ui) , which
don't know about "id_token" response_type, I actually suggest to support
response_type=token for clients with enabled implicit flow. I've sent PR
for this https://github.com/keycloak/keycloak/pull/2110 . Let me know if
you think that we shouldn't merge it.
Marek
On 26/01/16 08:44, Stian Thorgersen wrote:
If OpenID Connect prevents response_type=token, then no. We should be
OpenID Connect compliant.
Just add this to the issue and close it as rejected.
On 25 January 2016 at 21:54, Marek Posolda <mposolda(a)redhat.com> wrote:
> Question about https://issues.jboss.org/browse/KEYCLOAK-2351 . Should we
> allow response_type=token ?
>
> Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit
> nor hybrid flow to use response_type=token alone without "id_token" or
> "code" [2] [3] .
>
> I am fine with support response_type=token, however doesn't we break
> OpenID Connect specs then? Or should we have option (either on/off flag
> or list of valid response_type combinations) in configuration to specify
> whether it's allowed or not?
>
> [1] https://tools.ietf.org/html/rfc6749#section-4.2.1
> [2]
> http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
> [3]
> http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
>
> Marek
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev(a)lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
3006
days inactive
3007
days old
3 comments
2 participants
participants (2)
-
Marek Posolda -
Stian Thorgersen