OpenID connect: support response_mode=query #217
Comments
|
@brentschmaltz if you agree with the general idea, I'll submit a PR when yours is merged. |
|
It's not entirely my call, other folks involved have indicated that 'query_mode' should not be supported by default. |
|
You should maybe ping them so they can participate to this conversation 👷 /cc @selfissued |
|
@PinpointTownes I don't think there is much support for query mode. |
|
@PinpointTownes did you ping MikeJones (selfissued)? |
|
@brentschmaltz I mentioned him in my last post, so he probably received a notification from GitHub. I'll ping him via Twitter 😄 |
|
First, response_mode should only be used when a non-default response mode is being requested for the response_type, per http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes and http://openid.net/specs/openid-connect-core-1_0.html#AuthRequest. Given that it's never safe to use the query response_mode when fragment encoding is the default, this means that it is only ever safe to use response_mode=query when response_type=code is used. But in that case, it's unnecessary and NOT RECOMMENDED, because query is already the default for the code response_mode. So I short, response_mode=query should never be used. The query response mode is, of course, used by default for the most common response_type - code. I would close this one as invalid, because it reflects a misunderstanding of the specifications. |
|
@selfissued by The question is: should we support GET+query string callbacks for |
BTW, that's exactly what I said in my first post:
|
|
The default response modes are specified for each response type in http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html. For instance, about the four combination response types defined in http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#Combinations, you'll see this language "The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used". Likewise, http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#id_token says "The default Response Mode for this Response Type is the fragment encoding and the query encoding MUST NOT be used". The only response_type for which the query response mode is permitted is "code", which is documented at http://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes says "the default Response Mode for the OAuth 2.0 code Response Type is the query encoding". But since it's the default, response_mode=query should not be explicitly included in any requests. Therefore, for no response_type value used by OpenID Connect should response_mode=query ever be used. Requests to do so reflect an incomplete understanding of the specifications and the reasoning behind them. |
|
Meh, the thread is not about adding an explicit (you know we're not illiterate, right? 😄) |
|
wow, that took a while. thanks for pushing through. |
|
@PinpointTownes @selfissued @tushargupta51 |
|
@brentschmaltz if you want me to, I can submit a PR and ping you to make sure we're adding the right checks to reject unsafe OIDC payloads. |
|
@brentschmaltz https://github.com/PinpointTownes/Security/commit/4125595f89efa3c485c3dff16d770813369515a6 I'll test it with |
response_mode=querysupport has been a recurrent demand on JabbR, given that the optionalresponse_mode=form_postis not implemented everywhere.Even if authorization servers should make sure they don't return
tokenorid_tokenwhen usingresponse_mode=query, we should reject such requests in the middleware itself.#202 (comment)
/cc @HaoK @brentschmaltz @Praburaj
The text was updated successfully, but these errors were encountered: