Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support OIDC form_post response mode #22029

Closed
sberyozkin opened this issue Dec 8, 2021 · 5 comments · Fixed by #23794
Closed

Support OIDC form_post response mode #22029

sberyozkin opened this issue Dec 8, 2021 · 5 comments · Fixed by #23794
Assignees
@sberyozkin
Labels
area/oidc kind/enhancement New feature or request
Milestone
2.8.0.CR1

Comments

@sberyozkin
Copy link
Member

Description

Some OIDC providers such as Apple OIDC (as discovered by @FroMage) use a form_post response mode when returning the authorization code to quarkus-oidc - so instead of including it as a query parameter in a GET redirect it will be form-posted, alongside state, to Quarkus with POST.

So this response mode should also be supported

Implementation ideas

Fallback to checking the form payload if the state verification has been done but no code has been found in a query string
@sberyozkin sberyozkin added the kind/enhancement New feature or request label Dec 8, 2021
@quarkus-bot
Copy link

quarkus-bot bot commented Dec 8, 2021

/cc @pedroigor

@quarkus-bot quarkus-bot bot added the area/oidc label Dec 8, 2021
@FroMage
Copy link
Member

FroMage commented Dec 8, 2021

I already have a proto of this working. Needs config and tests though.

@sberyozkin
Copy link
Member Author

We can tweak OIDC wiremock a bit to support the form_post as well, but,
Hmm... I've just realized the state is also posted and is state is not a query param we can't decide the post body can be read...i.e, how can quarkus-oidc figure out this POST is for quarkus-oidc only ? Perhaps, by analyzing the state cookie value and comparing the path stored there with the current request path.

@FroMage
Copy link
Member

FroMage commented Dec 14, 2021
edited

I've added preliminary support for this in FroMage@671c37c

I'm not sure this should require a configuration to turn it on or off, because this only happens when calling the OIDC callback endpoint, and we can just look at the method being used if it's GET or POST.

@FroMage FroMage mentioned this issue Jan 20, 2022
Merged
@FroMage
Copy link
Member

FroMage commented Jan 20, 2022

@sberyozkin fixing this would be really nice.

@sberyozkin sberyozkin mentioned this issue Jan 28, 2022
Merged
@sberyozkin sberyozkin self-assigned this Feb 17, 2022
@sberyozkin sberyozkin mentioned this issue Feb 17, 2022
Merged
@quarkus-bot quarkus-bot bot added this to the 2.8 - main milestone Feb 21, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/oidc kind/enhancement New feature or request
Projects
None yet
Milestone
2.8.0.CR1
Development

Successfully merging a pull request may close this issue.

Support OIDC form_post response mode sberyozkin/quarkus
2 participants
@FroMage @sberyozkin