1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. connect
  4. Issues

specific response types need to be used in place of "implicit flow" and "code flow"

Issue #648 resolved
Brian Campbell created an issue

The terms "implicit flow" and "code flow" are not defined anywhere in the Connect specs and the way they are defined/used in OAuth doesn't really match up with how they are used in Connect.

There are some required behaviors now based on the flow being used but there seems to be quite a bit of ambiguity on what the flows really mean. It would be preferable to explicitly state the response type(s) that impact such requirements rather than using the loose terms of implicit and code flow.

This thread is one example of the confusion/ambiguity: http://lists.openid.net/pipermail/openid-specs-ab/Week-of-Mon-20120903/002350.html

Comments (9)

  3. Michael Jones

    The key difference is how responses are encoded (fragment, etc.). We may want to say that the id_token response_type is part of the implicit flow.

  6. Brian Campbell reporter

    I'm not sure using a "response type of token id_token rather than implicit" is really gonna do it?

    In general, "token", "id_token", "id_token token", "code token", "code id_token", "code id_token token" all could be considered to be what was meant by the term implicit flow, right? Though some of the specific requirements only apply to a subset.

    I think Mike was onto something in the observation about the key difference being in the nature of the response encoding - i.e. fragment vs. query.

  10. Log in to comment
Assignee
Type
bug
Priority
minor
Status
resolved
Component
Milestone
Version
Votes
0
Watchers
0
Jira: the preferred issue tracker for Bitbucket. Join the team!