I am trying to build a confidential client app that has a single-page app frontend, and I’d like to follow this implementation note in the OIDC spec and use
However, if the Client does not run entirely in the User Agent, one way to achieve this is to post them to a Web Server Client for validation.
However, when I build a confidential application and request the
fragment response mode, I receive an error (application logs):
Unsupported response mode: fragment
For reference, Okta does support having a confidential client use the fragment response mode. I have similar thoughts about the
web_message response mode but haven’t had a chance to test that yet