Spec not clear as to which auth flows are supported

Issue #72 closed
Dave Tonge created an issue

e..g Authorization Code Flow, Implicit Flow, Hybrid Flow We should be explicit as to what we support

Comments (7)

  1. Nat Sakimura

    Since we agreed that we need to have both the request and response signed, only the viable flow is the Hybrid Flow.

  2. Dave Tonge reporter

    Actually I think its a bit clearer now:

    shall require the response_type values code id_token or code id_token token;
    shall return ID Token as a detached signature to the authorization response;
    shall include state hash, s_hash, in the ID Token to protect the state value;

    I think we can close this.

  3. Log in to comment