id_token support

[mexmer]

Hi,
i tested your server, but openid client in .NET seems to request by default response type id_token for authorize request, which doesn't seem to be supported by your implementation.

any plans to add this?

https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html

[Shoogn]

Hi, thanks for posting.
Yeah, it's not supporting right now, but I will add it shortly.

[Shoogn]

Also, I have to mention that the OIDC Implicit Flow is not a secure way to get an Id_token from the Authorization Server, unless your token doesn't contain sensitive data. the best response type to use is code response type with PKCE.

[mexmer]

@Shoogn oidc client does not expose token to enduser, it is actually processed on callback interface (signin uri), i have my own override on this, so i can validate tokens (and for apple oauth, there is extra handshake, so override is needed anyways)

anyways thanks for reply, i will look forward to this feature.

[Shoogn]

@mexmer After reading about this response type on the documentation, I found that, the OIDC Implicit Flow is still available as a valid response type, but it's removed from the OAuth 2.1. if you are going to use this flow in OIDC you have to be careful if you have sensitive data, you have not to include it in the token. Therefore, to request this sensitive data you can call the UserInfo endpoint instead.
And for that reason, I'm going to add these two features in my Authorization Server as soon as possible.

[mexmer]

i see, thanks for info. TBH. i use oidc client in .NET, i don't give him explicit configuration what it should request, so whatever microsoft programmed in there, it does it 🐱 .
i hope google implements profile endpoint, before oauth 2.1 is widely implement, atm. i can use profile with oidc only on microsoft for validating. google has own endpoint for info and same goes for apple, even if you specify profile scope on authentication.

i would rather use endpoints exposed in WKS.