Use Bearer in token_type in Implicit Flow response example
Issue #985
resolved
The section "Successful Token Response" (http://openid.net/specs/openid-connect-core-1_0.html#TokenResponse) states that the token_type MUST be Bearer as as specified in OAuth 2.0 Bearer Token Usage [RFC6750]. However there is another example that uses bearer in token_type. See section 3.2.2.5 "Successful Authentication Response" (http://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse)
HTTP/1.1 302 Found
Location: https://client.example.org/cb#
access_token=SlAV32hkKG
&token_type=bearer
&id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso
&expires_in=3600
&state=af0ifjsldkj
That example does not follow the RFC6750
Comments (6)
-
-
Leave the example as is but add a comment to the text that the value is case insensitive.
-
-
assigned issue to
Michael Jones
-
assigned issue to
-
- changed status to open
-
- changed status to resolved
Fixed
#985- Noted that the token_type value is case insensitive→ <<cset 4ce0f6cb1b62>>
-
Hi Mr. Jones, thanks for clarifying this confusing topic by your unambiguous commit!
But those changes have not (yet?) been published to the OIDC specs hosted on openid.net, for example, not in this “3.1.3.3. Successful Token Response“ section (https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse). In fact, the metadata at the very top of that published specs contains some keywords like “Final”, “November 8, 2014”, “OpenID Connect Core 1.0 incorporating errata set 1“. Is it really up-to-date?
PS: I work for Microsoft and maintain one of its authentication SDK. Would like to better understand this specs. Thanks for your time reading this.
- Log in to comment
http://tools.ietf.org/html/rfc6749#section-4.2.2 says that the identifier is case-insensitive. So the example is actually correct as-is.
We should discuss whether to change the example to use the registered case or whether to demonstrate, by example, that the value is case-insensitive.