SIOP response_types_supported

https://openid.net/specs/openid-connect-self-issued-v2-1_0-12.html#section-6.1-6.3.1

Says that AS/OP response_types_supported metadata is “A JSON array of strings representing supported response types. MUST be id_token”. An array can’t be a string but more importantly this reads as though it precludes other response types like authorization code that are discussed elsewhere in the document as being usable.

Is this intentional?

Should it rather say something like “MUST include id_token”?

‌

Comments (2)