[
https://issues.apache.org/jira/browse/CXF-8414?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved CXF-8414.
--------------------------------------
Resolution: Information Provided
> OAuth 2.0: authorize response_type order matters
> ------------------------------------------------
>
> Key: CXF-8414
> URL: https://issues.apache.org/jira/browse/CXF-8414
> Project: CXF
> Issue Type: Bug
> Components: JAX-RS Security
> Affects Versions: 3.4.2
> Reporter: Will Croteau
> Priority: Major
> Labels: OIDC
>
> Per the [OAuth2
> Specification|https://tools.ietf.org/html/rfc6749#section-8.4]:
> {quote}If a response type contains one or more space characters (%x20), it
> is compared as a space-delimited list of values in which the order of
> values does not matter. Only one order of values can be registered,
> which covers all other arrangements of the same set of values.
> For example, the response type "token code" is left undefined by this
> specification. However, an extension can define and register the
> "token code" response type. Once registered, the same combination
> cannot be registered as "code token", but both values can be used to
> denote the same response type.
> {quote}
> OidcImplicitService and OidcHybridService both support multiple response
> types, but require specific ordering. For example {{id_token token}} will
> work, but {{token id_token}} returns {{unsupported_response_type}}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
