[keycloak-dev] Should we allow response_type=token ?

Marek Posolda mposolda at redhat.com
Tue Jan 26 07:16:17 EST 2016 

I did a bit more research regarding this. OpenID Connect doesn't 
explicitly prevent that "response_type=token" must not be used. There is 
just this sentence in the specs:
NOTE: While OAuth 2.0 also defines the token Response Type value for the 
Implicit Flow, OpenID Connect does not use this Response Type, since no 
ID Token would be returned.

So to be compliant with pure OAuth 2 clients (like swagger.ui) , which 
don't know about "id_token" response_type, I actually suggest to support 
response_type=token for clients with enabled implicit flow. I've sent PR 
for this https://github.com/keycloak/keycloak/pull/2110 . Let me know if 
you think that we shouldn't merge it.

Marek

On 26/01/16 08:44, Stian Thorgersen wrote:
> If OpenID Connect prevents response_type=token, then no. We should be 
> OpenID Connect compliant.
>
> Just add this to the issue and close it as rejected.
>
> On 25 January 2016 at 21:54, Marek Posolda <mposolda at redhat.com 
> <mailto:mposolda at redhat.com>> wrote:
>
>     Question about https://issues.jboss.org/browse/KEYCLOAK-2351 .
>     Should we
>     allow response_type=token ?
>
>     Basically OAuth2 allows that [1] but OpenID Connect doesn't for
>     implicit
>     nor hybrid flow to use response_type=token alone without "id_token" or
>     "code" [2] [3] .
>
>     I am fine with support response_type=token, however doesn't we break
>     OpenID Connect specs then? Or should we have option (either on/off
>     flag
>     or list of valid response_type combinations) in configuration to
>     specify
>     whether it's allowed or not?
>
>     [1] https://tools.ietf.org/html/rfc6749#section-4.2.1
>     [2]
>     http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthRequest
>     [3]
>     http://openid.net/specs/openid-connect-core-1_0.html#HybridAuthRequest
>
>     Marek
>
>
>     _______________________________________________
>     keycloak-dev mailing list
>     keycloak-dev at lists.jboss.org <mailto:keycloak-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/keycloak-dev
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-dev/attachments/20160126/b7fb5c45/attachment.html

More information about the keycloak-dev mailing list