[Openid-specs-ab] response_type 'none'
Roland Hedberg
roland.hedberg at adm.umu.se
Thu Sep 22 12:26:14 UTC 2011
22 sep 2011 kl. 14:08 skrev sakimura:
> On Thu, 22 Sep 2011 09:22:51 +0200, Roland Hedberg wrote:
>> According to
>>
>> OpenID Connect Messages 1.0 - draft 04
>> 3.1.3. Authorization Response
>>
>> 'The response_type "none" preempts all other values and only state
>> SHOULD be returned to the client.'
>>
>> This violates draft-ietf-oauth-v2-21 section 4.1.2, which states that
>> 'code' is required in an Authorization Response.
>
> That is when response_type=code.
Right but if you define response_type=token then the response should be according to section 5.1
which also has a couple of requirements.
> The response_type=none is essentially introducing a new flow,
> which is neither "code" nor "token" nor "code token".
So it involves a new response type which is not described by OAuth2 and which we then should define.
It should only contain one optional parameter: 'state'.
Which of course is required if it appeared in the request.
>> So, should we state that the returned value of 'code' SHOULD be ""
>> when response_type == 'none' ?
>> But that it in any way will be ignored ?
>
> I think we should explicitly say that the combination of "none" and any
> other response type is undefined.
That to!
-- Roland
More information about the Openid-specs-ab
mailing list