Release Notes

This is a hotfix-only release. It adds a flag to the configuration to let OAuth clients that are not allowed the "implicit" grant type to continue to use the hybrid code+id_token OpenID flow from the Authorization endpoint without receiving an error response. This way they can still receive the authorization code and continue with the authorization_code grant flow.

The flag is called fallbackToAuthcode and defaults to false, meaning clients that do not have the ability to do implicit grants will get an unauthorized exception for the whole request.

This release is necessary to provide a workaround to a breaking change in UAA 1.10, which added the provision of the OpenId id_token but locked out clients without the implicit grant in the process.