You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some OIDC providers such as Apple OIDC (as discovered by @FroMage) use a form_post response mode when returning the authorization code to quarkus-oidc - so instead of including it as a query parameter in a GET redirect it will be form-posted, alongside state, to Quarkus with POST.
So this response mode should also be supported
Implementation ideas
Fallback to checking the form payload if the state verification has been done but no code has been found in a query string
The text was updated successfully, but these errors were encountered:
We can tweak OIDC wiremock a bit to support the form_post as well, but,
Hmm... I've just realized the state is also posted and is state is not a query param we can't decide the post body can be read...i.e, how can quarkus-oidc figure out this POST is for quarkus-oidc only ? Perhaps, by analyzing the state cookie value and comparing the path stored there with the current request path.
I'm not sure this should require a configuration to turn it on or off, because this only happens when calling the OIDC callback endpoint, and we can just look at the method being used if it's GET or POST.
Description
Some OIDC providers such as
Apple OIDC
(as discovered by @FroMage) use a form_post response mode when returning the authorization code toquarkus-oidc
- so instead of including it as a query parameter in aGET
redirect it will be form-posted, alongsidestate
, to Quarkus withPOST
.So this response mode should also be supported
Implementation ideas
Fallback to checking the form payload if the state verification has been done but no
code
has been found in a query stringThe text was updated successfully, but these errors were encountered: