Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• This issue affects my Ory Cloud project.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Describe your problem

The web message response type is used by commercial OAuth2 services (such as Auth0) to support token retrieval without requiring the browsing context to change.

Describe your ideal solution

The ideal solution would be for HTML containing the WebMessage script (with a specific origin matching the redirect URL) to be returned when the response_type is set to web_message.

The approach could be restricted to only public clients using PKCE to prevent misuse?

Workarounds or alternatives

Version

v0.42.1

Additional Context

No response

Please see #658 (review)