Oauth2 Implicit flow - token code missing

Document ID : KB000100776
Last Modified Date : 14/06/2018
Show Technical Document Details
We are using the last version of SiteMinder 12.8 with the new implicit Oauth2 flow. 

It seems SiteMinder does not implement correctly the Implicit flow. As you may see, the response_type=token generate an error: 

"response type is missing or invalid". 

Trying with other code the results are: 
response_type=code --> OK 
response_type=token --> ERROR 
response_type=id_token --> OK 
response_type=id_token%20token --> OK 

So we are guessing that the OpenID connect Implicit works well, but the Standard OAuth2 implicit does not work. 

May you help us? 
At first glance, it looks like the Implicit Grant Flow is implemented
only in the OpenID Connect Provider wich is a new feature from 12.8.

OIDC Implicit Flow

Besides Authorization Code Flow, CA Single Sign-On can now
authenticate users using OIDC Implicit Flow for supporting clients
that are browser-based, use a scripting language, and are Single-Page
Applications (SPA). Authorization Endpoint issues Access Token and ID
Token to a Client directly. CA Single Sign-On Implicit Flow is
certified with OpenID Conformance Implicit Profile.

New Features

For more information, see Authentication Using Implicit Flow

  Authentication Using Implicit Flow

  CA Single Sign-On as OpenID Connect Provider

You'll notice as well that the Implicit Grant Flow isn't recommended to use.

  OAuth 2.0 Implicit Grant

  What is the OAuth 2.0 Implicit Grant Type?

You should note also that CA API Gateway has this feature implemented for OAuth 2.0 :

  OAuth 2.0 Tutorial 3: The Implicit Grant Type

In order to get this Flow type implemented outside OIDC (OpenID Connect), we invite you
to open an Idea on the Security page :

  1. Go to the CA Security Overview Page :
  2. Click on the "Actions" drop-down menu and select "Create an
  3. Give your idea a title and detailed description to encourage
  4. Publish and vote on your idea!