IdentityServer OpenID Connect Flows: Relationship between Response Types and Grant Types

Openid Connect determine a few flows ( e.g. see scottbrady91 Flow Comparison  and which-openid-connect flow-is-the-right-one )

 In IdentityServer Client description you specify grant type (i.e. flow)( e.g. AllowedGrantTypes = GrantTypes.HybridAndClientCredentials )

You also specify one or more response types in OpenIdConnectOptions.ResponseType (e.g. ResponseType = “code id_token token”)

If you mismatch them, you will get error like.

[Error] Invalid grant type for client: implicit \”ResponseType\”: \”id_token token\”

The relationship is not obvious, it’s partially discussed in http://stackoverflow.com/questions/29275477/openidconnect-response-type-confusion.

To understand the possible relationships between Response Types and Grant Types see IdentityServer4Constants.cs

ResponseTypeToGrantTypeMapping

            { OidcConstants.ResponseTypes.Code, GrantType.AuthorizationCode },

            { OidcConstants.ResponseTypes.Token, GrantType.Implicit },

            { OidcConstants.ResponseTypes.IdToken, GrantType.Implicit },

            { OidcConstants.ResponseTypes.IdTokenToken, GrantType.Implicit },

            { OidcConstants.ResponseTypes.CodeIdToken, GrantType.Hybrid },

            { OidcConstants.ResponseTypes.CodeToken, GrantType.Hybrid },

            { OidcConstants.ResponseTypes.CodeIdTokenToken, GrantType.Hybrid }

Advertisements

#hybrid-flow, #idsrv, #openid-connect