[Openid-specs-fapi] Issue #577: FAPI2SP appears to permit response_types "id_token", "id_token token" and "none" (openid/fapi)
josephheenan
issues-reply at bitbucket.org
Wed Mar 8 09:44:27 UTC 2023
New issue 577: FAPI2SP appears to permit response_types "id_token", "id_token token" and "none"
https://bitbucket.org/openid/fapi/issues/577/fapi2sp-appears-to-permit-response_types
Joseph Heenan:
FAPI2SP appears to permit response\_types "id\_token", "id\_token token" and "none" - the only text I could find that’s relevant is these two statements, neither of which would prevent this:
> shall reject requests using the resource owner password credentials grant or the implicit grant described in \[[RFC6749](https://openid.net/specs/fapi-2_0-security-profile-ID2.html#RFC6749)\] or the hybrid flow as described in \[[OIDC](https://openid.net/specs/fapi-2_0-security-profile-ID2.html#OIDC)\][¶](https://openid.net/specs/fapi-2_0-security-profile-ID2.html#section-5.3.1.1-2.2.1)
>
> shall support the authorization code grant \(`response_type=code` & `grant_type=authorization_code`\) described in \[[RFC6749](https://openid.net/specs/fapi-2_0-security-profile-ID2.html#RFC6749)\][¶](https://openid.net/specs/fapi-2_0-security-profile-ID2.html#section-5.3.1.2-2.1.1)
\[technically, “id\_token token” is probably not permitted because I don’t think there’s any way to issue a sender constrained access token from the authorization endpoint.\]
More information about the Openid-specs-fapi
mailing list