diff --git a/internal/oidc/clientregistry/clientregistry.go b/internal/oidc/clientregistry/clientregistry.go
index f60cc07d..c01caa7d 100644
--- a/internal/oidc/clientregistry/clientregistry.go
+++ b/internal/oidc/clientregistry/clientregistry.go
@@ -18,10 +18,16 @@ type Client struct {
 	fosite.DefaultOpenIDConnectClient
 }
 
-// It implements both the base and OIDC client interfaces of Fosite.
+func (c Client) GetResponseModes() []fosite.ResponseModeType {
+	// For now, all Pinniped clients always support "" (unspecified), "query", and "form_post" response modes.
+	return []fosite.ResponseModeType{fosite.ResponseModeDefault, fosite.ResponseModeQuery, fosite.ResponseModeFormPost}
+}
+
+// It implements both the base, OIDC, and response_mode client interfaces of Fosite.
 var (
 	_ fosite.Client              = (*Client)(nil)
 	_ fosite.OpenIDConnectClient = (*Client)(nil)
+	_ fosite.ResponseModeClient  = (*Client)(nil)
 )
 
 // StaticClientManager is a fosite.ClientManager with statically-defined clients.
diff --git a/internal/oidc/clientregistry/clientregistry_test.go b/internal/oidc/clientregistry/clientregistry_test.go
index 0da67fcc..5062f629 100644
--- a/internal/oidc/clientregistry/clientregistry_test.go
+++ b/internal/oidc/clientregistry/clientregistry_test.go
@@ -59,6 +59,7 @@ func TestPinnipedCLI(t *testing.T) {
 	require.Equal(t, "", c.GetRequestObjectSigningAlgorithm())
 	require.Equal(t, "none", c.GetTokenEndpointAuthMethod())
 	require.Equal(t, "RS256", c.GetTokenEndpointAuthSigningAlgorithm())
+	require.Equal(t, []fosite.ResponseModeType{"", "query", "form_post"}, c.GetResponseModes())
 
 	marshaled, err := json.Marshal(c)
 	require.NoError(t, err)