A deployment professional has a requirement to configure an OpenID provider which does not expose tokens to the end user.
Which grant type should be enabled when creating the federation?
A deployment professional has a requirement to configure an OpenID provider which does not expose tokens to the end user.
Which grant type should be enabled when creating the federation?
The Authorization Code grant type is the appropriate choice for an OpenID provider that does not expose tokens to the end user. This is because the Authorization Code flow ensures that the tokens are delivered directly to the client application via a secure back channel, allowing the application to securely exchange the authorization code for access tokens without exposing them to the end user.
https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/con_oauth20_workflow.html#con_oauth20_workflow