Question:
We are using the last version of SiteMinder 12.8 with the new implicit Oauth2 flow.
It seems SiteMinder does not implement correctly the Implicit flow. As you may see, the response_type=token generate an error:
"response type is missing or invalid".
Trying with other code the results are:
response_type=code --> OK
response_type=token --> ERROR
response_type=id_token --> OK
response_type=id_token%20token --> OK
So we are guessing that the OpenID connect Implicit works well, but the Standard OAuth2 implicit does not work.
May you help us?
Answer:
At first glance, it looks like the Implicit Grant Flow is implemented
only in the OpenID Connect Provider wich is a new feature from 12.8.
OIDC Implicit Flow
Besides Authorization Code Flow, CA Single Sign-On can now
authenticate users using OIDC Implicit Flow for supporting clients
that are browser-based, use a scripting language, and are Single-Page
Applications (SPA). Authorization Endpoint issues Access Token and ID
Token to a Client directly. CA Single Sign-On Implicit Flow is
certified with OpenID Conformance Implicit Profile.
New Features
https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/new-features
For more information, see Authentication Using Implicit Flow
Authentication Using Implicit Flow
https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/use-ca-single-sign-on-as-openid-connect-provider/authentication-using-implicit-flow
CA Single Sign-On as OpenID Connect Provider
https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/new-features
You'll notice as well that the Implicit Grant Flow isn't recommended to use.
OAuth 2.0 Implicit Grant
https://oauth.net/2/grant-types/implicit/
What is the OAuth 2.0 Implicit Grant Type?
https://developer.okta.com/blog/2018/05/24/what-is-the-oauth2-implicit-grant-type
You should note also that CA API Gateway has this feature implemented for OAuth 2.0 :
OAuth 2.0 Tutorial 3: The Implicit Grant Type
https://communities.ca.com/videos/1363
In order to get this Flow type implemented outside OIDC (OpenID Connect), we invite you
to open an Idea on the Security page :
1. Go to the CA Security Overview Page :
2. Click on the "Actions" drop-down menu and select "Create an
idea."
3. Give your idea a title and detailed description to encourage
voting.
4. Publish and vote on your idea!
KB : KB000100776