Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Done
-
6.5.2.2
Description
When using OpenID Connect node in a tree and requesting response_mode=form_post (https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) from the OP (in the authorize request), the response from the OP is in the form of a POST to the redirect URL with a self submitting form in the payload. This does not work and as the redirect URL
is the XUI endpoint, it just starts a new authentication flow.
This is particularly important when using "Sign in with Apple". Apple OP does not return any default claims in the id_token, so to get usable claims, the client has to provide them in the scope as part of the call to the authorize endpoint of Apple. But Apple requires the response_mode=form_post if any scopes are requested, according to https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms
Interestingly, as an OP, AM supports the response_mode=form_post.
Acceptance Criteria
- Social Provider Handler Node is spec compliant vis a vis a form_post during auth flow redirect.
Attachments
Issue Links
- depends on
-
COMMONS-679 Enable form post configuration on OAuth2 clients
-
- Open
-
-
-
- Resolved
-
-
-
- Resolved
-
1.
|
Initial PoC to determine needed changes |
|
Closed | Dipu Seminlal |
2.
|
Add response mode OIDC Commons configuration |
|
Closed | Andrew Forrest |
3.
|
Functional tests |
|
Closed | Kevin Umebolu |
4.
|
Unit tests |
|
Closed | Unassigned |
5.
|
Add new form_post endpoint |
|
Closed | Dipu Seminlal |
6.
|
Add response mode AM configuration |
|
Closed | Michael Carter [X] (Inactive) |
7.
|
DoD: response_mode=form_post from Relying Party |
|
Closed | Andrew Vinall |