Release Notes
This is a hotfix-only release. It adds a flag to the configuration to let OAuth clients that are not allowed the "implicit" grant type to continue to use the hybrid code+id_token
OpenID flow from the Authorization endpoint without receiving an error response. This way they can still receive the authorization code and continue with the authorization_code
grant flow.
The flag is called fallbackToAuthcode
and defaults to false
, meaning clients that do not have the ability to do implicit grants will get an unauthorized exception for the whole request.
This release is necessary to provide a workaround to a breaking change in UAA 1.10, which added the provision of the OpenId id_token but locked out clients without the implicit grant in the process.