I've been working with IdentityServer3 for a little while now. I have hooked up some SPA applications, as well as some ASP.Net webform applications.
When I trace the networks calls in Fiddler, I sometimes see the Auth Token returned in the redirect url. Sometimes I see it returned in a form post.
How do I control this and specify how I want the auth token returned?
This is controlled by the response_mode OIDC param.
https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html