unsupported_response_type

[ikb42]

Using the example with popup, clicking signin gives this in the console for callback_popup.html:

pageUrl=http://localhost:9000/callback_popup.html#error=unsupported_response_type&error_description=Unsupported%20response%20type

The response_type is not specified in the demo app, the default from anvil-connect appears to be 'id_token token'

[adalinesimonian]

The reason this is happening is that the script for registering clients in this repo is not registering the client with an id_token token response_type and an implicit grant_type, which are necessary per the OIDC specification to use id_token token as a response_type. Prior, Anvil Connect did not validate this part of the client metadata, but now it is compliant with the standard, and does.

There's another problem, and that is that the implicit grant_type does not allow the registered client to use http; only https or a custom scheme is allowed. We only enforce this particular aspect in a production environment, but if Anvil Connect is running inside Docker, it is always running with NODE_ENV set to production, and thus clients using the implicit auth flow must be using SSL.

Therefore, in order to work, this project should:

1. Register the client with the correct response_type and grant_type claims
2. Run with SSL