In the CAS implementation of OIDC, there is an issue with the handling of the response_mode parameter. According to the OIDC documentation, when response_mode is set to form_post, the response should be returned in the form of a POST request. However, the current implementation returns the response in the fragment format regardless of the response_mode value.
*Environment:* - CAS Version: 7.0.6 - OIDC Specification: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html *Steps to Reproduce:* 1. Set the response_type to id_token. 2. Set the response_mode to form_post. 3. Perform an OIDC login request. *Expected Behavior:* According to the OIDC documentation, the response should be returned as a POST request when response_mode is set to form_post. The response should be delivered via an form POST, not as a URL fragment. *Actual Behavior:* Regardless of the response_mode value, the response is always returned as a URL fragment (#), instead of a POST request. This behavior is inconsistent with the OIDC documentation. *Additional Notes:* - The tests in your repository (e.g., oidc-debugger-idtoken-login script) currently check for the url.hash from the browser, which is not the correct behavior for response_mode=form_post. The correct behavior should involve checking for a POST form submission, not a URL fragment. Refer to the test script here: https://github.com/apereo/cas/blob/master/ci/tests/puppeteer/scenarios/oidc-debugger-idtoken-login/script.js#L28 -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/94f37d5f-7be3-496f-80e7-fcea09554cd5n%40apereo.org.
