Hi everyone, thank you for your awesome work! I deployed Hydra on Kubernetes and created this client here: / $ hydra list clients -e http://localhost:4445 CLIENT ID CLIENT SECRET GRANT TYPES RESPONSE TYPES SCOPE AUDIENCE REDIRECT URIS fakeuuid-96ae-421e-9439-fb875da127aa [authorization_code refresh_token] [code id_token] openid offline email personaldata https://sample-app.company.com/callback When I redirect an example application to Hydra to handle the login, I get this message unsupported_response_type: The authorization server does not support obtaining a token using this method. The client is not allowed to request response_type 'code'. This is how I redirect the user: client_id = "fakeuuid-96ae-421e-9439-fb875da127aa" callback_url = "https://sample-app.company.com/callback" # url encoded but decoded here for readability state = "some-always-random-stuff" scopes = "openid offline email personaldata" # url encoded but decoded here for readability redirect(f"{hydra_public_url}/oauth2/auth?client_id={client_id}&redirect_uri={callback_url}&response_type=code&state={state}&scope={scopes}", code=302) So what's wrong? I'm requesting response_type=code and the client has that RESPONSE TYPE, also id_token (see above: [code id_token]) Let me know if you need more information. Thank you for your support. Best regards Ronny

Hi, the response type is "code id_token" and not just "code". How did you create the client?

Thanks for the quick response! I created it via CLI, like this: hydra create client --name "Sample application" --redirect-uri "https://sample-app.company.com/callback" --scope "openid offline email personaldata" --response-type "[code id_token]" --token-endpoint-auth-method none --grant-type "[authorization_code refresh_token]" --endpoint http://localhost:4445

that's one option. I believe you can also add a , in between code and id_token during the client creation (or in an ory update CLI call). That would mean that code or id_token are allowed.

I just created a new client, added the comma hydra create client --name "Sample application" --redirect-uri "https://sample-app.company.com/callback" --scope "openid offline email personaldata" --response-type "[code,id_token]" --token-endpoint-auth-method none --grant-type "[authorization_code refresh_token]" --endpoint http://localhost:4445 CLIENT ID CLIENT SECRET GRANT TYPES RESPONSE TYPES SCOPE AUDIENCE REDIRECT URIS e63cdd89-bb86-4dea-8a55-c029b4aedb9a [authorization_code refresh_token] [code, id_token] openid offline email personaldata https://sample-app.company.com/callback I made sure the sample app uses the new hydra client but I still get the same message

Hm, the problem might be the [ ] around them during client creation. It's a literal string, now

I'll take a look later or tomorrow morning (Berlin time)

@icy-byte-32534 In most documentation, the convention is to indicate optional command line flags in square brackets. In other words the hydra create client documentation you referenced showed the command as

hydra create client [flags]

. This simply means you can include

flags

in the command, but they are optional. (Obviously, in most cases, for this command to be useful you will likely want to include flags.). Moreover, when you include flags, you will not include the literal square brackets

[ xxx ]

.