[keycloak-dev] Should we allow response_type=token ?
Marek Posolda
mposolda at redhat.com
Mon Jan 25 15:54:03 EST 2016
Question about https://issues.jboss.org/browse/KEYCLOAK-2351 . Should we
allow response_type=token ?
Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit
nor hybrid flow to use response_type=token alone without "id_token" or
"code" [2] [3] .
I am fine with support response_type=token, however doesn't we break
OpenID Connect specs then? Or should we have option (either on/off flag
or list of valid response_type combinations) in configuration to specify
whether it's allowed or not?
[1] https://tools.ietf.org/html/rfc6749#section-4.2.1
[2] http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
[3] http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
Marek
More information about the keycloak-dev
mailing list