Reputation: 17
OIDC response_mode= form_post
I am implementing the response_mode=form_post and I would like to know what are the possible response_types for this mode.
I read in some places that it supports response_type=code, response_type=id_token. (Login only cases). When access_token is returned, with type id_token token ,can we use form_post?
Upvotes: 0
Views: 12838
Answers (2)
Reputation: 12322
You can have any response type used with the form_post response mode. The specification defines default response modes that should be used with the given response types, but the spec for form_post does not limit its use to only some response_type cases.
Still, that should not make any difference for your implementation. You should just take the form returned by the authorization server and submit it, like you would any other HTML form on a page. So it doesn't matter for you what is in the form, and the action URL should be in the form anyway.
Upvotes: 1
Reputation: 19921
response_mode controls how the tokens are delivered to the client, if you use response_mode=form_post then it is done via an auto submitted form-post generated by the Identity provider. IF you don't provide it, you will get the tokens via the query string. There are no more alterantives what I know of.
basically, response_mode defines how the tokens (ID/Access/refresh) are delivered to your client.
According to the spec here:
it says:
This specification defines the Form Post Response Mode, which is described with its response_mode parameter value:
In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format. The action attribute of the form MUST be the Client's Redirection URI. The method of the form attribute MUST be POST. Because the Authorization Response is intended to be used only once, the Authorization Server MUST instruct the User Agent (and any intermediaries) not to store or reuse the content of the response.
Any technique supported by the User Agent MAY be used to cause the submission of the form, and any form content necessary to support this MAY be included, such as submit controls and client-side scripting commands. However, the Client MUST be able to process the message without regard for the mechanism by which the form submission was initiated.
https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
Upvotes: 3
Related Questions
- OIDC Authorization Code flow /token response
- Support for Form Post response mode?
- Getting id_token as null in OIDC when sending responseType = 'id_token'
- OIDC - Confirming the approach for Authorise using Prompt None
- response_type and grant_type in OAuth2.0/OIDC specifications
- How to set oidc ResponseType to get both claims and access_token?
- Open ID Connect Multiple response types
- OpenID Connect: Is it an error to request scope openid with response_type token
- OpenID Connect implicit flow: Respond using a redirect?
- OpenID connect implicit flow response