[Openid-specs-ab] Issue #2171: Proposal: Introduction of “Light/Pure” Variants for Implicit and Hybrid Plans (openid/connect)

[panva]

New issue 2171: Proposal: Introduction of “Light/Pure” Variants for Implicit and Hybrid Plans
https://bitbucket.org/openid/connect/issues/2171/proposal-introduction-of-light-pure

Filip Skokan:

I propose an evolution of the OpenID Connect Core 1.0 certification plans: to introduce “light” or “pure” variants of the Implicit and Hybrid Core certification plans. These new plans would specifically exclude response types that issue access tokens in the front channel, to allow certification of software that only implements `code`, `code id_token` and `id_token`.

The reasoning is simple, I cannot find a good practical reason to use response types `code token`, `code id_token token` or `id_token token` in newly developed software, therefore, as an RP/OP implementer I don’t want to include these in future iterations of my software for the sole purpose of being able to certify for the only two response types other than `code` that make sense: `code id_token` and `id_token`.

This is very much related to #1362 \(inclusion of PKCE as a variant\) as well as \(can’t find the particular issues\) the possibility to now pass certification without having alg:none support or verifying ID Token signatures from the Token Endpoint.