[Openid-specs-ab] Issue #1538: Clarify valid response_type values (openid/connect)

Travis Spencer issues-reply at bitbucket.org
Thu Jun 23 15:49:40 UTC 2022 

New issue 1538: Clarify valid response_type values
https://bitbucket.org/openid/connect/issues/1538/clarify-valid-response_type-values

Travis Spencer:

The [June 22 draft of OIDC4VP](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#section-5) says this in section 5:

> response\_type: REQUIRED. this parameter is defined in \[RFC6749\]. The possible values are determined by the response type registry established by \[RFC6749\]. This specification introduces the response type "vp\_token". This response type asks the Authorization Server \(AS\) to return only a VP Token in the **authorization response**.

The IANA considerations in appendix B is still TBD and so the only thing in the [referenced registry](https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#endpoint) are `token`, `code`, and the multi-response type values.

Section 6 goes on to say:

> If only vp\_token is used as the response\_type, the VP Token is provided in the authorization response. If the id\_token is used as the response\_type alongside vp\_token, the VP Token is provided in the OpenID Connect authentication response along with the ID Token. **In all other cases, the VP Token is provided in the token response.**

The second sentence seems to be saying that `response_type=id_token vp_token` is valid and I've seen references to that in the issue tracker. The last sentence is harder to understand, however. Is this saying that all of the following combinations are valid or only some of them?

* code vp\_token
* code id\_token vp\_token
* code id\_token token vp\_token
* code token vp\_token

Those would require a call to the token endpoint to redeem the code, and the first quoted section above says that the VP token is only returned from the “authorization response” which I take to refer to section [4.1.2 or RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2) \(i.e., the reply from the authorize endpoint prior to calling the token endpoint in the code flow\).\[1\] Does this mean that the above response type values are invalid or that the token endpoint should not issue a VP token?

The example in 8.2.3.1 further confuses me. This example says that the client is registering only with the code response type but it is registered with VP token formats. Does this mean that a VP token can be issued as a part of a normal code flow? If so, I suppose this is dependent on the client’s registered metadata or the AS’s policy. Is that right?

Also, what about these response types? Are these valid?

* id\_token token vp\_token
* token vp\_token
* none vp\_token

The last one is interesting. The [multi-response type spec says in section 4](https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#none):

> Authorization Server SHOULD NOT return an OAuth 2.0 Authorization Code, Access Token, Access Token Type, or ID Token in a successful response to the grant request

It doesn’t say anything about VP token, however, so one could interpret `none vp_token` as valid and meaning the same thing as a `response_type` of just `vp_token`. 

Section 2 of the multi-response type spec also says:

> Each Response Type value also defines a default Response Mode mechanism to be used, if no Response Mode is specified using the request parameter. 

What response mode is the default for any of the above that are valid? What about a `response_type` of just `vp_token`? What is the default response mode of that? OIDC4VP defines a new response mode \(`post`\), but it doesn't say that's the default for the `vp_token` response type. Quoting section 6 again which says:

> If only vp\_token is used as the response\_type, the VP Token is provided in the authorization response.

Does this mean the default response mode for `response_type=vp_token` is fragment? If so, it would be good to spell that out IMO.

From all this, it seems evident that the `response_type` values should be clarified or that I'm just too literal / daft. Not sure which it is but hope it's the former :wink: 

\[1\] Maybe I’m being too literal, but the hybrid flow defines this as an Authentication Response and the implicit flow in RFC 6749 doesn’t use this “authorization response” wording; it’s only used for the code flow \(that I found\).

More information about the Openid-specs-ab mailing list