For the same reason the implicit flow uses it -- to reduce exposure of the response params. I know the codeĀ is protected with the code_verifier, but it wouldn't hurt to reduce its exposure, no?
-Brock On 12/8/2018 1:23:41 PM, Aaron Parecki <[email protected]> wrote: What would be the benefit of using this response type? Are you aware of any OAuth (not OIDC) clients that do this today? - Aaron On Sat, Dec 8, 2018 at 7:29 AM Brock Allen <[email protected] [mailto:[email protected]]> wrote: Should the BCP suggest using OIDC's response_type=fragment as the mechanism for returning the code from the AS? Or simply suggest using the fragment component of the redirect_uri for the code, without a response_type parameter (IOW don't allow it to be dynamic)? -Brock _______________________________________________ OAuth mailing list [email protected] [mailto:[email protected]] https://www.ietf.org/mailman/listinfo/oauth [https://www.ietf.org/mailman/listinfo/oauth]
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
