Hey all! I have the same conclusion as Patryk. I built a CAS 7.1.1 recently with a minimal set of overlays to actually try out form_post. Turns out, even though I get HTTP POST on my redirect url instead of an HTTP GET, but there is no data in the POST and the actual token value comes as an URL fragment. I don't have to point out that this feature should have added an extra security on a possible UI flow, but we can't use it then. I don't see if there is a proper CAS Initialzr to build 6.x.x, but I thought of trying that out, hopefully it is ok. Can anyone confirm if there is an existing CAS which works well with this response_mode?
Patryk Sondej a következőt írta (2024. augusztus 4., vasárnap, 16:06:24 UTC+2): > In the CAS implementation of OIDC, there is an issue with the handling of > the response_mode parameter. According to the OIDC documentation, when > response_mode is set to form_post, the response should be returned in the > form of a POST request. However, the current implementation returns the > response in the fragment format regardless of the response_mode value. > > *Environment:* > > - CAS Version: 7.0.6 > - OIDC Specification: > https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html > > *Steps to Reproduce:* > > 1. Set the response_type to id_token. > 2. Set the response_mode to form_post. > 3. Perform an OIDC login request. > > *Expected Behavior:* > > According to the OIDC documentation, the response should be returned as a > POST request when response_mode is set to form_post. The response should be > delivered via an form POST, not as a URL fragment. > > *Actual Behavior:* > > Regardless of the response_mode value, the response is always returned as > a URL fragment (#), instead of a POST request. This behavior is > inconsistent with the OIDC documentation. > > *Additional Notes:* > > - > > The tests in your repository (e.g., oidc-debugger-idtoken-login > script) currently check for the url.hash from the browser, which is not > the > correct behavior for response_mode=form_post. The correct behavior should > involve checking for a POST form submission, not a URL fragment. > > Refer to the test script here: > > https://github.com/apereo/cas/blob/master/ci/tests/puppeteer/scenarios/oidc-debugger-idtoken-login/script.js#L28 > > > -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/63fb3563-c900-4a8e-87b2-a4ac0208736bn%40apereo.org.
