For what it's worth, the response_mode parameter is defined in OAuth 2.0 Multiple Response Type Encoding Practices <https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html>, which is an OIDF document but not strictly part of OIDC so it can be used and referenced as an extension of OAuth without going fully OIDC.
One of the purported benefits of fragment encoding was that it allowed for the redirect uri request to be served from browser cache. On Sat, Dec 8, 2018 at 11:58 AM Aaron Parecki <aa...@parecki.com> wrote: > Do you know of anyone currently doing this today in an OAuth-only > application? > > If the group wanted to take some existing OIDC mechanisms and apply them > to OAuth, I feel like that needs to happen in a separate RFC, and that's a > much bigger discussion. This BCP shouldn't really be defining new behavior. > It's similar to how "OAuth 2.0 for Mobile and Native Apps" is not where > PKCE is defined, PKCE has its own RFC. > > - Aaron > > > > On Sat, Dec 8, 2018 at 10:33 AM Brock Allen <brockal...@gmail.com> wrote: > >> For the same reason the implicit flow uses it -- to reduce exposure of >> the response params. I know the code is protected with the >> code_verifier, but it wouldn't hurt to reduce its exposure, no? >> >> -Brock >> >> On 12/8/2018 1:23:41 PM, Aaron Parecki <aa...@parecki.com> wrote: >> What would be the benefit of using this response type? Are you aware of >> any OAuth (not OIDC) clients that do this today? >> >> - Aaron >> >> >> On Sat, Dec 8, 2018 at 7:29 AM Brock Allen <brockal...@gmail.com> wrote: >> >>> Should the BCP suggest using OIDC's response_type=fragment as the >>> mechanism for returning the code from the AS? Or simply suggest using the >>> fragment component of the redirect_uri for the code, without a >>> response_type parameter (IOW don't allow it to be dynamic)? >>> >>> -Brock >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
