Yes it also applies to the “code id_token” response_type. It would also apply to “code token” , “code token id_token” response types as well though I can’t think of why a native app would use those.
We can look at a errata to clarify. It is a artifact of resonse_type being treated as a single string as opposed to being space separated values as most people would expect. John B. > On Jan 26, 2016, at 5:11 PM, Dominick Baier <dba...@leastprivilege.com> wrote: > > Hi, > > PKCE only mentions OAuth 2.0 code flow - but wouldn’t that also apply to OIDC > hybrid flow e.g. code id_token? > > — > cheers > Dominick Baier > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org <mailto:OAuth@ietf.org> > https://www.ietf.org/mailman/listinfo/oauth > <https://www.ietf.org/mailman/listinfo/oauth>
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
