implicit authorization flow

The docs mention gtImplicit option, but I cannot get it to send JWT on the redirect with a "response_type=id_token" in the request. Am I missing something, or is it not supposed to be able to do this at all by design?

It is supported. Please provide the exact details of what you are doing so we can properly answer you.

Note that id_token is only returned if you include openid scope.

I have no server-side code to "handle" it specifically, just setting gtImplicit as the only property in the Application. And then I'm calling it with both response_type=id_token&scope=openid - when it redirects, there's no JWT anywhere at all - not in the Headers, nor in the Query. It redirects with a GET, so there's no Body. There are really no more details to add, it's a rather atomic operation.

As per my original question in a different thread: [basically, when I set AllowedGrantTypes in the Application to gtImplicit, nothing happens: it does not send the target anything on a redirect - not Code, nor JWT token, no query parameters and no extra headers in a GET request. I need it to send JWT token. My initial URL is like this:
http://server:2001/tms/sphinx/oauth/authorize/?client_id=app1&response_type=id_token&scope=openid&redirect_uri=https://server2:4431/uri&nonce=ikghjh
So, I'm asking for "id_token", but the same happens if I ask for "token".
Am I missing anything, or is it not implemented? And will it be?]

Can you please share a sample project reproducing the issue? I think we are getting lost here in too many words.

Please send the project and steps reproducing the issue and then from here we can point exactly to what's going on.

MainForm.pas (4.9 KB)
Just changing the SimpleDemo server's App creation, as per attached. And then calling it with http://localhost:2001/tms/sphinx/oauth/authorize?response_type=id_token&client_id=web&redirect_uri=https%3A%2F%2Fmicrosoft.com%2Ftest&scope=openid&nonce=_v1MuK62c5mVRbIYlRx_9kxWD9_ URL - it accepts it and redirects after signon, but never sends a token.

Should I be calling another endpoint for this? - but I only see this & /token (which does not work for this request).

I see the id token being passed correctly here:

Ah, I see! What's after the # is inaccessible to the recipient. Can it do it with a "?" delimiter instead? Is this configurable anywhere? - both Azure & Okta send me a token in query parameters (i.e.: after a ?-delimiter, not as a #-comment).

Had this once before, with Azure, I think. But it was after all configurable, so I could get my JWT in the Query after all. It's presumably safer in fragments, but nobody is really enforcing it.

I have now worked around this by making small changes to Sphinx code. But I'd really like to see this configurable through some setting - it's fine if it defaults to Fragment, but it needs to be developer-settable.

Would also be nice to add a POST option for the Redirect, with all these things in the Body.

And with the contents, it's reporting user (i.e.: "Hans"), as the Tenant, which does not seem right. And it also sets Issuer ("iss") to whatever URL it's currently running on, which is a bit of an issue, because just enabling SSL would change that URL and so, I think it would be good to be able to set that value in the code, so it's not up to the random server to decide, especially because any given server may be responding to dozens of different names.

That is not part of the OAuth specification, hence not allowed/possible.
References:

https://www.rfc-editor.org/rfc/rfc6749#section-4.2.2

Maybe via POST, like how both Azure & Okta do it? - Azure has "response_mode=form_post" parameter available in the request to trigger it and in Okta they call it "Okta Simplified" and I think there's one more internal Okta page involved, doing an extra hop. - my mistake, I thought they were sending it in the query string from memory, but it's actually in a POST.

For now form_post response mode is not yet supported by TMS Sphinx but it's indeed a good idea.

I suggest you file a feature request for that, then.