[Openid-specs-fapi] Issue #476: is response_type=code id_token permitted in FAPI2 Baseline? (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Tue Feb 8 11:21:53 UTC 2022
New issue 476: is response_type=code id_token permitted in FAPI2 Baseline?
https://bitbucket.org/openid/fapi/issues/476/is-response_type-code-id_token-permitted
Joseph Heenan:
Are servers allowed to support `response_type=code id_token` when FAPI2 Baseline is in use?
My initial thought is that they probably shouldn’t, as it would result in an id\_token being leaked in the front channel, and I can’t think of any reason it should be permitted.
However I’m not sure if there’s a spec clause that disallows it. Possibly this one might:
> shall reject requests using the resource owner password credentials grant or the implicit grant described in \[[RFC6749](https://openid.bitbucket.io/fapi/fapi-2_0-baseline.html#RFC6749)\]
as the hybrid flow is a form of implicit grant \(according to [https://openid.net/specs/openid-connect-registration-1\_0.html#ClientMetadata](https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata) \). But if so perhaps it could be a bit clearer.
More information about the Openid-specs-fapi
mailing list