[Openid-specs-ab] defining new response types

Marius Scurtescu mscurtescu at google.com
Tue Jul 12 01:07:14 UTC 2011


If I read section 8.4 correctly it seems that new response types can
be defined but composite values must be registered explicitly.

I don't think this approach scales too well. OpenID Connect for
example is adding a new response type: id_token.

id_token can be combined with either code or token and potentially
with both of them, the following combinations must be registered as a
result:
code+id_token
token+id_token
code+token+id_token

and this assumes that code+token is already registered.

I think it makes more sense to define response_type as a space
separated list of items, where each item can be individually
registered. I do realize that this complicates things quite a bit (not
we have to define and deal with both composite response_type and the
individual items).

As a side note, using + as separator could cause lots of problems. If
people naively type "code+toke" it will be decoded as "code token". No
one will remember the hex code for +.

Marius


More information about the Openid-specs-ab mailing list