Proposal: Introduction of “Light/Pure” Variants for Implicit and Hybrid Plans

I propose an evolution of the OpenID Connect Core 1.0 certification plans: to introduce “light” or “pure” variants of the Implicit and Hybrid Core certification plans. These new plans would specifically exclude response types that issue access tokens in the front channel, to allow certification of software that only implements code, code id_token and id_token.

The reasoning is simple, I cannot find a good practical reason to use response types code token, code id_token token or id_token token in newly developed software, therefore, as an RP/OP implementer I don’t want to include these in future iterations of my software for the sole purpose of being able to certify for the only two response types other than code that make sense: code id_token and id_token.

This is very much related to #1362 (inclusion of PKCE as a variant) as well as (can’t find the particular issues) the possibility to now pass certification without having alg:none support or verifying ID Token signatures from the Token Endpoint.