[Openid-specs-ab] Responses for multiple response_type - Issue #31
nov matake
nov at matake.jp
Fri Sep 16 00:52:28 UTC 2011
+1 for code in query and token in fragment
I don't get the reason why (mainly JS) clients need code in fragment even when token is already there.
On 2011/09/16, at 9:33, Edmund Jay wrote:
> While trying to resolve issue # 31 ( https://bitbucket.org/openid/connect/issue/31/standard-5121-inconsistency-with-messages ) in the Issue Tracker, the working group runs in to the problem of how to return authorization responses when multiple response_types are requested.
>
> According to the OAuth 2.0 specs, the responses are returned as follows :
>
> response_type response
> -----------------------------------------------------
> code code returned in the query
> token token returned in the fragment
>
> code token unspecified (leave open for possible extension spec to register response_type combination)
>
> code id_token
> token id_token
> code token id_token
>
>
> For the unspecified cases, John Bradley holds the position that if a fragment is returned, then all parameters are returned in the fragment. Others (Nat, Edmund) believes that code should be returned in the query while token and id_token are always returned in the fragment.
>
> We would like to request consensus from the group on how to handle such responses, so that the responses for the specified combinations can be clearly specified and registered with OAuth.
>
> -- Edmund
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20110916/adcc6b0a/attachment.html>
More information about the Openid-specs-ab
mailing list