thephpleague / oauth2-server

I know OIDC is not formally supported by this package.

We are however implementing an OIDC server using this package (with the help of https://github.com/jeremy379/laravel-openid-connect).

When I use the authorisation code grant, this works as expected.

However, when I try to do an implict grant (or implict flow as OIDC calles it) by setting response_type=token id_token, the server always rejects the request because the following check does not match the request:

oauth2-server/src/Grant/ImplicitGrant.php

Lines 105 to 109 in ab7714d

    
           return ( 
        
               isset($request->getQueryParams()['response_type']) 
        
               && $request->getQueryParams()['response_type'] === 'token' 
        
               && isset($request->getQueryParams()['client_id']) 
        
           );

In this done on purpose? Should this check not rather be a contains check? I am happy to submit a PR if this is the case.

If not, are there any ways for me to get my setup working?

I think this is on purpose as we don't have the concept of an id_token for the implicit grant in oauth 2. I'd be hesitant to change this until we have time to implement oicd.

Have you raised an issue with the downstream package? Might be better for them to tackle it at this time

	return (
	isset($request->getQueryParams()['response_type'])
	&& $request->getQueryParams()['response_type'] === 'token'
	&& isset($request->getQueryParams()['client_id'])
	);

Implict grant for OIDC not supported