We are using the last version of SiteMinder 12.8 with the new implicit Oauth2 flow.
It seems SiteMinder does not implement correctly the Implicit flow. As you may see, the response_type=token generate an error:
"response type is missing or invalid".
Trying with other code the results are:
response_type=code --> OK
response_type=token --> ERROR
response_type=id_token --> OK
response_type=id_token%20token --> OK
So we are guessing that the OpenID connect Implicit works well, but the Standard OAuth2 implicit does not work.
May you help us?
At first glance, it looks like the Implicit Grant Flow is implemented
only in the OpenID Connect Provider wich is a new feature from 12.8.
OIDC Implicit Flow
Besides Authorization Code Flow, CA Single Sign-On can now
authenticate users using OIDC Implicit Flow for supporting clients
that are browser-based, use a scripting language, and are Single-Page
Applications (SPA). Authorization Endpoint issues Access Token and ID
Token to a Client directly. CA Single Sign-On Implicit Flow is
certified with OpenID Conformance Implicit Profile.
For more information, see Authentication Using Implicit Flow
Authentication Using Implicit Flow
CA Single Sign-On as OpenID Connect Provider
You'll notice as well that the Implicit Grant Flow isn't recommended to use.
OAuth 2.0 Implicit Grant
What is the OAuth 2.0 Implicit Grant Type?
You should note also that CA API Gateway has this feature implemented for OAuth 2.0 :
OAuth 2.0 Tutorial 3: The Implicit Grant Type
In order to get this Flow type implemented outside OIDC (OpenID Connect), we invite you
to open an Idea on the Security page :
1. Go to the CA Security Overview Page :
2. Click on the "Actions" drop-down menu and select "Create an
3. Give your idea a title and detailed description to encourage
4. Publish and vote on your idea!