Reputation: 25
spring security openid connect request for access token implementation doesn't align cas api requirement
I'm working on integrating Spring Security with CAS by openid connect of authorization_code flow. According to openid connect protocol, there are following steps:
- ....
- browser get Authentication and code from OpenID Provider
- browser send the code to client
- client makes token request to OpenID provider for access token.
- ....
The issue happened on step 4. Spring Security make the request and put the grant_type, code info into body instead of the url. But CAS require to put the code info into url. [CAS API for Authorization Code]
Does anybody has experience with such situation? Any Suggestion is appreciate
Upvotes: 1
Views: 238
Answers (1)
Reputation: 19971
You control how the code is delivered to the client using the response_mode parameter during the initial authentication request.
It specifies the method that should be used to send the resulting authorization code back to your app. Can be form_post or fragment. For web applications, we recommend using response_mode=form_post, to ensure the most secure transfer of tokens to your application.
Upvotes: 1
Related Questions
- Spring Security and OpenID Connect (OIDC)
- Spring Boot Security CAS Authentication Integration
- Can't make CAS Single Sign Out work with Spring Security
- Spring Security with CAS rest (Direct login)
- spring security token request requires authentication
- Authenticate spring web application through CAS server
- CAS HTTP 401 - Authentication Failed: Bad credentials
- Authenticate user for secure spring service with CAS RESTful API ticket
- Spring Security with CAS authentication and custom authorization
- Implementing CAS with Spring Security 3