Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-16358

OIDC authentication nodes do not work when response_mode=form_post is requested from OP

    XMLWordPrintable

    Details

    • Rank:
      1|i014fb:2i

      Description

      When using OpenID Connect node in a tree and requesting response_mode=form_post (https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) from the OP (in the authorize request), the response from the OP is in the form of a POST to the redirect URL with a self submitting form in the payload. This does not work and as the redirect URL
      is the XUI endpoint, it just starts a new authentication flow.

      This is particularly important when using "Sign in with Apple". Apple OP does not return any default claims in the id_token, so to get usable claims, the client has to provide them in the scope as part of the call to the authorize endpoint of Apple. But Apple requires the response_mode=form_post if any scopes are requested, according to https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms

      Interestingly, as an OP, AM supports the response_mode=form_post.

      Acceptance Criteria

      • Social Provider Handler Node is spec compliant vis a vis a form_post during auth flow redirect.

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              sandeep.chaturvedi Sandeep Chaturvedi
              Votes:
              1 Vote for this issue
              Watchers:
              16 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: