Oauth2 Implicit flow - token code missing

Document ID : KB000100776
Last Modified Date : 14/06/2018
Show Technical Document Details
Question:
We are using the last version of SiteMinder 12.8 with the new implicit Oauth2 flow. 

It seems SiteMinder does not implement correctly the Implicit flow. As you may see, the response_type=token generate an error: 

"response type is missing or invalid". 

Trying with other code the results are: 
response_type=code --> OK 
response_type=token --> ERROR 
response_type=id_token --> OK 
response_type=id_token%20token --> OK 

So we are guessing that the OpenID connect Implicit works well, but the Standard OAuth2 implicit does not work. 

May you help us? 
Answer:
At first glance, it looks like the Implicit Grant Flow is implemented
only in the OpenID Connect Provider wich is a new feature from 12.8.

OIDC Implicit Flow

Besides Authorization Code Flow, CA Single Sign-On can now
authenticate users using OIDC Implicit Flow for supporting clients
that are browser-based, use a scripting language, and are Single-Page
Applications (SPA). Authorization Endpoint issues Access Token and ID
Token to a Client directly. CA Single Sign-On Implicit Flow is
certified with OpenID Conformance Implicit Profile.

New Features
https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/new-features

For more information, see Authentication Using Implicit Flow

  Authentication Using Implicit Flow
  https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/use-ca-single-sign-on-as-openid-connect-provider/authentication-using-implicit-flow

  CA Single Sign-On as OpenID Connect Provider
  https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/new-features

You'll notice as well that the Implicit Grant Flow isn't recommended to use.

  OAuth 2.0 Implicit Grant
  https://oauth.net/2/grant-types/implicit/

  What is the OAuth 2.0 Implicit Grant Type?
  https://developer.okta.com/blog/2018/05/24/what-is-the-oauth2-implicit-grant-type

You should note also that CA API Gateway has this feature implemented for OAuth 2.0 :

  OAuth 2.0 Tutorial 3: The Implicit Grant Type
  https://communities.ca.com/videos/1363

In order to get this Flow type implemented outside OIDC (OpenID Connect), we invite you
to open an Idea on the Security page :

  1. Go to the CA Security Overview Page :
     https://communities.ca.com/community/ca-security/ca-single-sign-on
  2. Click on the "Actions" drop-down menu and select "Create an
     idea."
  3. Give your idea a title and detailed description to encourage
     voting.
  4. Publish and vote on your idea!