[keycloak-dev] Should we allow response_type=token ?
Stian Thorgersen
sthorger at redhat.com
Tue Jan 26 02:44:25 EST 2016
If OpenID Connect prevents response_type=token, then no. We should be
OpenID Connect compliant.
Just add this to the issue and close it as rejected.
On 25 January 2016 at 21:54, Marek Posolda <mposolda at redhat.com> wrote:
> Question about https://issues.jboss.org/browse/KEYCLOAK-2351 . Should we
> allow response_type=token ?
>
> Basically OAuth2 allows that [1] but OpenID Connect doesn't for implicit
> nor hybrid flow to use response_type=token alone without "id_token" or
> "code" [2] [3] .
>
> I am fine with support response_type=token, however doesn't we break
> OpenID Connect specs then? Or should we have option (either on/off flag
> or list of valid response_type combinations) in configuration to specify
> whether it's allowed or not?
>
> [1] https://tools.ietf.org/html/rfc6749#section-4.2.1
> [2]
> http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
> [3] http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
>
> Marek
>
>
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160126/f2977598/attachment.html
More information about the keycloak-dev
mailing list