-
|
I have been testing the library and when trying to use Best regards. |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
|
Hi @jolivaSan, I have not encountered a strong argument for having to support these flows. Care to elaborate on why you think a given response_type that falls into the implicit / hybrid category should be supported? |
Beta Was this translation helpful? Give feedback.
-
|
We are thinking in use concretely 'code id_token' so as response of the /authorize endpoint we get an id_token purely to add extra security and validations in our Public clients, you know the |
Beta Was this translation helpful? Give feedback.
-
|
The use of openid using code+pkce is easier and likewise protects the application from code injection and CSRF. Plus the enforcement logic is server side - win. |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
|
ok, thanks for the explanation, i would like to use the 'code id_token' so we get a signed id_token in the authorization response so we can ensure that the response comes from the 'party' that we expect, we are having a look to the JARM as replace for this id_token. |
Beta Was this translation helpful? Give feedback.
ok, thanks for the explanation, i would like to use the 'code id_token' so we get a signed id_token in the authorization response so we can ensure that the response comes from the 'party' that we expect, we are having a look to the JARM as replace for this id_token.