Per the OAuth2 Specification:
If a response type contains one or more space characters (%x20), it
is compared as a space-delimited list of values in which the order of
values does not matter. Only one order of values can be registered,
which covers all other arrangements of the same set of values.
For example, the response type "token code" is left undefined by this
specification. However, an extension can define and register the
"token code" response type. Once registered, the same combination
cannot be registered as "code token", but both values can be used to
denote the same response type.
OidcImplicitService and OidcHybridService both support multiple response types, but require specific ordering. For example id_token token will work, but token id_token returns unsupported_response_type