[OPENAM-5859] Support the form_post OAuth 2.0 response mode Created: 21/Apr/15  Updated: 09/Jan/18  Resolved: 23/Sep/15

Status: Resolved
Project: OpenAM
Component/s: oauth2, OpenID Connect
Affects Version/s: 13.0.0
Fix Version/s: 13.0.0

Type: Improvement Priority: Major
Reporter: James Phillpotts Assignee: Unassigned
Resolution: Fixed Votes: 5
Labels: CustomerRFE, release-notes
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Duplicate
Relates
is related to OPENAM-12303 Document support for the form_post OA... Resolved
Support Ticket IDs:

 Description   

It would be good to support this new standard for response mode, which enables easier integration in a client side flow: http://openid.net/2015/04/06/vote-to-approve-final-oauth-2-0-form-post-response-mode-specification/



 Comments   
Comment by Tom Kofford [X] (Inactive) [ 21/May/15 ]

Although form_post is a new addition to the spec, it is desirable in many instances. To date there are three response modes now defined. They are fragment, query, and form_post. For "query" the IDP places the response parameters in query string parameters of the redirect URI and issues a 302 response. For "fragment" the IDP places them as fragments of the redirect URI and issues a 302 response which would require some client component in the user-agent to be engaged in processing the fragment parts since fragments are never sent from user agents to servers such as in the subsequent request to the redirect URI of the client. For "form_post" the IDP places them in one or more input elements of a returned form and issues a 200 response that is then auto-submitted via javascript to the client's redirect URI. This avoids having the idToken in logs (security vulnerability) and is doesn't require special user agent processing like is needed for fragment.

Comment by Andy Hall [ 23/Sep/15 ]

Fixed by work in other JIRA ticket.

Comment by Jeff Olson [ 09/Jan/18 ]

This should be added to the OAuth/OIDC documentation.

Generated at Tue Oct 27 07:21:14 UTC 2020 using Jira 7.13.12#713012-sha1:6e07c38070d5191bbf7353952ed38f111754533a.