[Openid-specs-ab] response_type 'none'

Roland Hedberg roland.hedberg at adm.umu.se
Thu Sep 22 12:26:14 UTC 2011


22 sep 2011 kl. 14:08 skrev sakimura:

> On Thu, 22 Sep 2011 09:22:51 +0200, Roland Hedberg wrote:
>> According to
>> 
>> OpenID Connect Messages 1.0 - draft 04
>> 3.1.3.  Authorization Response
>> 
>> 'The response_type "none" preempts all other values and only state
>> SHOULD be returned to the client.'
>> 
>> This violates draft-ietf-oauth-v2-21 section 4.1.2, which states that
>> 'code' is required in an Authorization Response.
> 
> That is when response_type=code.

Right but if you define response_type=token then the response should be according to section 5.1 
which also has a couple of requirements.

> The response_type=none is essentially introducing a new flow,
> which is neither "code" nor "token" nor "code token".

So it involves a new response type which is not described by OAuth2 and which we then should define.
It should only contain one optional parameter: 'state'.
Which of course is required if it appeared in the request.

>> So, should we state that the returned value of 'code' SHOULD be ""
>> when response_type == 'none' ?
>> But that it in any way will be ignored ?
> 
> I think we should explicitly say that the combination of "none" and any
> other response type is undefined.

That to!

-- Roland


More information about the Openid-specs-ab mailing list