[Openid-specs-ab] response_type 'none'

sakimura sakimura at gmail.com
Thu Sep 22 12:08:02 UTC 2011



 On Thu, 22 Sep 2011 09:22:51 +0200, Roland Hedberg wrote:
> According to
>
> OpenID Connect Messages 1.0 - draft 04
> 3.1.3.  Authorization Response
>
> 'The response_type "none" preempts all other values and only state
> SHOULD be returned to the client.'
>
> This violates draft-ietf-oauth-v2-21 section 4.1.2, which states that
> 'code' is required in an Authorization Response.

 That is when response_type=code.

 The response_type=none is essentially introducing a new flow,
 which is neither "code" nor "token" nor "code token".

>
> So, should we state that the returned value of 'code' SHOULD be ""
> when response_type == 'none' ?
> But that it in any way will be ignored ?

 I think we should explicitly say that the combination of "none" and any
 other response type is undefined.

>
> -- Roland
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-specs-ab



More information about the Openid-specs-ab mailing list