OAuth 2.1 + OIDC: The implicit flow grant type is indeed mandatory to support the Hybrid flow.

[vanbukin]

According to the OpenID Connect Core 1.0 incorporating errata set 1 specification, for the Hybrid Flow, the response_type parameter should be set to "code id_token". However, based on the OpenID Connect Dynamic Client Registration 1.0 incorporating errata set 1 specification, if a client is registered with this response_type, its grant_types should be "authorization_code" and "implicit". Please note that the Implicit Flow has been removed in OAuth 2.1. I am trying to create a provider that simultaneously supports OAuth 2.1 and OpenID Connect 1.0 but without OAuth 2.0 support, specifically excluding the Implicit Flow and ROCF. I see a contradiction between these specifications, and I'm not sure where to turn for guidance. How can I proceed to support hybrid flow without using the implicit grant type?

[aaronpk]

Implicit is no longer part of authorization flows, and is not defined in OAuth 2.1.

When OpenID Connect is updated to refer to OAuth 2.1, it should should define the implicit flow as an authentication flow that returns only an ID token.

What OAuth 2.1 doesn't define is how to use the implicit flow to get an access token, and that is also explicitly prohibited in the Security BCP. However there's nothing stopping you from using the implicit flow to get an ID token, it's just not defined in OAuth 2.1. So you can continue to use the implicit flow as defined in OAuth 2.0 to get an ID token, and not be in violation of OAuth 2.1.