Page Comparison

...

(The bold parameters have differences between the usage in implicit vs authorization code flow)

Rest of this page The sample here, addresses how this flow can be tried out with WSO2 Identity Server .

Following are the expected requests and the relevant responses WSO2 Identity Server would generate for this flow.

• Response_type=id_token

Request

https://localhost:9443/oauth2/authorize?response_type=id_token&client_id=NgTICXFPYnt7ETUm6Fc8NMU8K38a&redirect_uri=http://localhost:8080/playground2/oauth2client&nonce=abc&scope=openid 

Response

http://localhost:8080/playground2/oauth2client#token_type=Bearer&expires_in=60&id_token=eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NTMxODQyNTcsImV4cCI6MTQ1MzE4Nzg1Nywic3ViIjoiYWRtaW5AY2FyYm9uLnN1cGVyIiwiYXpwIjoiVzJPb1N4UURDVnJCazFsbmZmbzFOR0NLWmJRYSIsImF0X2hhc2giOiJRMXdwcURSOVpvV2NjQjNUbUl0Q0x3Iiwibm9uY2UiOiJhYmMiLCJhdWQiOlsiVzJPb1N4UURDVnJCazFsbmZmbzFOR0NLWmJRYSJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0NTMxODQyNTd9.iZSsb9PGC6lK0_fZe6R46BuiJs029F2NpA7GFv5NtI9T4h8p64qwBX-A0LEqOxg3H02OHIV22zKti8WoPsruFZmeAT75__kUHij_b3JM34kUuus478c1qBWFFKzR1EIReEj7Rf2UxYAPixgmPhuutQjJhAXqSwSiRlOR_tDp1Do

Please refer https://wso2.org/jira/browse/IDENTITY-4247 for a known issue in the above flow and the fix.

Please note nonce value is mandatory parameter here and if didn’t provide scope=openid you won’t get Id Token.
Base64 decoded value of Id Token

{"auth_time":1453184484,"exp":1453188084,"sub":"admin@carbon.super","azp":"W2OoSxQDCVrBk1lnffo1NGCKZbQa","at_hash":"DoxjyXzmrL6Z_kWRzmBdCA","nonce":"abc","aud":["W2OoSxQDCVrBk1lnffo1NGCKZbQa"],"iss":"https:\/\/localhost:9443\/oauth2\/token","iat":1453184484}

Id Token does not contain at_hash value since no access token is generated (access token is required to calculate at_hash value)

• Response_type : id_token token

Request

https://localhost:9443/oauth2/authorize?response_type=id_token%20token&client_id=NgTICXFPYnt7ETUm6Fc8NMU8K38a&redirect_uri=http://localhost:8080/playground2/oauth2client&nonce=abc&scope=openid

Response

http://localhost:8080/playground2/oauth2client#access_token=bb2157fce1266331c7802a8a1f6a33e1&id_token=eyJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiWHRhdktnTGtBT18zVUFfMmstay1YUSIsInN1YiI6ImFkbWluQGNhcmJvbi5zdXBlciIsImF1ZCI6WyJOZ1RJQ1hGUFludDdFVFVtNkZjOE5NVThLMzhhIl0sImF6cCI6Ik5nVElDWEZQWW50N0VUVW02RmM4Tk1VOEszOGEiLCJhdXRoX3RpbWUiOjE0NTI5NjkwNDUsImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsImV4cCI6MTQ1Mjk3MzU1OSwibm9uY2UiOiJhYmMiLCJpYXQiOjE0NTI5Njk5NTl9.PNJl3gkC85zxZVclbaSR_5rFPUApBLD1vWQ1nkQUwzSNxA3A0SU2VJOLfGK-R1FQ_xQaC_MaZsfAvxm5h5o9_KTxWvYY8KuGEvqSz5uecE0ykArBBmLf1Sk0nT5MxVGcVvTRx6swkWZRtxIlcofnMoQKuephwXASPWdcJIhoJH0&token_type=Bearer&expires_in=2386

Here, note that both the access token and IDToken are returned to the client.

...

Playground sample.