-
Type:
Improvement
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 6.5.2.2
-
Fix Version/s: None
-
Component/s: authentication, OpenID Connect
-
Labels:
-
Target Version/s:
-
Story Points:5
-
Epic Link:
-
Support Ticket IDs:
When using OpenID Connect node in a tree and requesting response_mode=form_post (https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html) from the OP (in the aurthorize request), the response from the OP is in the form of a POST to the redirect URL with a self submitting form in the payload. This does not work and as the redirect URL
is the XUI endpoint, it just starts a new authentication flow.
This is particularly important when using "Sign in with Apple". Apple OP does not return any default claims in the id_token, so to get usable claims, the client has to provide them in the scope as part of the call to the authorize endpoint of Apple. But Apple requires the response_mode=form_post if any scopes are requested, according to https://developer.apple.com/documentation/sign_in_with_apple/sign_in_with_apple_js/incorporating_sign_in_with_apple_into_other_platforms
Interestingly, as an OP, AM supports the response_mode=form_post.
Acceptance Criteria
- Social Provider Handler Node is spec compliant vis a vis a form_post during auth flow redirect.
- depends on
-
OPENIDM-14976 Using Social Identity Providers with reponse_mode=form_post does not work
-
- Resolved
-