The authorization server does not support obtaining a token using this method

Question

I am using ORY Hydra as authorization server and I'm trying to get an id_token along with the access_token when calling the authorize endpoint.

This is how my client is created

docker run --rm oryd/hydra clients create --audience my-aud -c http://localhost:3000 -g implicit --id test_token -n "Test getting an id_token" -a api,offline,openid -r id_token,token --token-endpoint-auth-method client_secret_post --endpoint http://10.1.0.147:4445

Now if I call my client using response_type=token, I can get only access token in the response

http://localhost:4444/oauth2/auth?client_id=test_token&login_verifier=dfb81eed26cf46f2832701f478c90d38&nonce=t12123421342313&provider=test&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_type=token&scope=api+openid+offline&state=xkm6tilq8ol7toxrib4ipxj6rckeen8kf

I get the response

#access_token=eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpmNTNhODI5Yi0wODFiLTQyMWItOTY3MS1kZWVkOGJlMTIxYzkiLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiYXVkLWFwaSJdLCJjbGllbnRfaWQiOiJjb3JldGVjaF9jbGllbnQiLCJleHAiOjE1NjQwOTA3NDUsImV4dCI6eyJzdWJfaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo4MDgwL2F1dGgvcmVhbG1zL21hc3RlciJ9LCJpYXQiOjE1NjQwODcxNDUsImlzcyI6Imh0dHA6Ly9sb2NhbGhvc3Q6NDQ0NC8iLCJqdGkiOiJmZTA3Y2JjMC00Y2FiLTRkNjktYmNlYS05MzRhNzNhOTkxMzYiLCJuYmYiOjE1NjQwODcxNDUsInNjcCI6WyJhcGlfc2NvcGUiXSwic3ViIjoiOTU3ZTA4ZjYtZTgyMy00ZTBjLThkODAtZDU3NTM2NmNhYTgxIn0.r97Vp_tmVOMpar3OSiOhNEI6PxzLoKtHE6CEezVsteamf7_qOhP6pbIvW91D8EZutGUuG4sxaDpunNv22R9hVyIGqVHqssAPLk5k7f00_UNp4ZuSswHqPj7L1O2JOp6zx-Ybrs_XTy3qaH9Yt-ofB35Y95DTyIabTIbuCyz2q24soWbf7j3yhseU6OJYq66qnw2PyhhskUKlLiaWcapioH4vnKJwg2aq1G_NKTGnuM3-w7XjR0TWVUBk9UDYDl4yo_eZJ5gA71ew6g44eO-ubdpjS1ITbsS5Dda8-R8jvmooHnr8uS3yJ5vATnwgNMfSEwBMEvodeWLloj9w0pDUaj8-9X6MDDxXMitBYjRgMulQUc2J-bkZM0_I0V6gyrj2NY_T3wDR6vbDvGG9n2J-KRbzIp1UE3c_LOfeUyW0xNEksBTJkFBIcS5BY0L_PE8rdGeyJ9iHEIBpWYA7MZKymu2-o9qoBa_kTzMTKj_v98c_BEnnKs7-F1WqecO-YP6pPKX9rTBQhe-pf4iC4yeObngkPIcJE5j_TQlTyUwyW5LZJN2xJglGugeuAdS2LMh0MNuaeaFGttOobOS2pUaIbgdvKxV2oV3fxWPh5h8a7iEsJC4VD75CApQIc5l6EeMaHRLN2mAIodRP-Mae6ht9556X4ghloZ50v-WczGAvq3I&expires_in=3599&scope=api&state=n3vxns17tfx7xpkkm5v9dw0bb6565s8&token_type=bearer

However, If I include the id_token now within the authorize endpoint parameters

http://localhost:4444/oauth2/auth?client_id=test_token&login_verifier=dfb81eed26cf46f2832701f478c90d38&nonce=t12123421342313&provider=test&redirect_uri=http%3A%2F%2Flocalhost%3A3000&response_type=id_token&scope=api+openid+offline&state=xkm6tilq8ol7toxrib4ipxj6rckeen8kf

After consenting, I get the following error

?error=unsupported_response_type&error_description=The+authorization+server+does+not+support+obtaining+a+token+using+this+method&state=k3g94uqdy5ippyakeohsrwkpkrm1uh

What am I doing wrong here?

Answer 1

error=unsupported_response_type

It means your requested response type is not supported by ory/hydra Openid Connect provider.

And checking their GIT repository, it is certified only for following profiles,

The following OpenID profiles are certified:

• Basic OpenID Provider (response types code)
• Implicit OpenID Provider (response types id_token, id_token+token)
• Hybrid OpenID Provider (response types code+id_token, code+id_token+token, code+token)

So you need to change your response type accordingly to match what they support.

Anyway please be mindful about Implicit and Hybrid flows. Though they are defined by OpenID Connect specification, they are not recommended to use. Instead go with authorisation code flow (basic openid provider as per above description.)