Allow setting "response_type" other than "code"?

[Nezteb]

Description

Is there a way to explicitly set a response_type other than code? Specifically I'd like to be able to set it in the authorization opts: https://hexdocs.pm/oidcc/oidcc_authorization.html#t:opts/0

Searching through code I couldn't find a way to do this, and most of the test code just uses the code response type: https://github.com/search?q=repo%3Aerlef%2Foidcc+response_type&type=code

Ref:

• https://openid.net/specs/openid-connect-core-1_0-17.html#id_tokenExample
• https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-implicit-flow#oidc-conformant

[maennchen]

@Nezteb oidcc currently only supports the code flow.

The initial scope of this library was for code login flows only since erlang / elixir are traditionally running on a server and the code flow is the most appropriate one to use for that.

However with technologies like live view native, we might want to expand on that in the future.

For which use case do you require a hybrid flow that can’t be solved more securely using PKCE?

[Nezteb]

Thanks for the quick response Jonatan!

For our use-case, we only needed to do the initial user authentication to get an ID token back, AKA "login only". We figured this hybrid route would be simpler and more flexible as we could use it to fetch both an ID token for the browser and later also fetch an access token for our backend service.

That being said, we could easily rework our application to use the auth code method with PKCE. Before doing that, I wanted to ask about potentially supporting other "response_type" values; your reasoning makes perfect sense to me. 😄

[maennchen]

I’ve opened the discussions #367 & #368 to gauge the interest of the community.

Whenever we implement this, I want to make sure that we implement it properly and also certify the new profiles.

Therefore the implementation is a bit more involved than just to add a config parameter for the type.

I’ll close this issue for now since I have no immediate plans to implement this.