evert
commented
1 month ago OIDC is at the moment out of scope for this library. If there's a OAuth2 spec/standard for this let me know! I'm even fine with drafts if they have some level of adoption
Closed fzakfeld closed 3 weeks ago
evert
commented
1 month ago OIDC is at the moment out of scope for this library. If there's a OAuth2 spec/standard for this let me know! I'm even fine with drafts if they have some level of adoption
fzakfeld
commented
1 month ago This abstract on openid.net defines the use of response_mode. https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html
The website is openid.net, but the abstract is about OAuth 2.0 not OIDC.
RFC 8414 mentions this as well: https://datatracker.ietf.org/doc/html/rfc8414#ref-OAuth.Responses
evert
commented
1 month ago Thank you! That seems like a pretty reasonable addition then
When passing response_mode=fragment to the autorization code flow request, most OAuth 2.0 and OIDC servers will respond with the code, state etc encoded as a URL fragment instead of query params.
This has the security benefit of not showing up in the server logs because fragments are not sent to the server. Especially important when using a CDN or other external service to host the frontend, which usually shouldn't have access to sensitive credentials.
It would be good if GetAuthorizeUrlParams would have an additional attrubute
response_modewhich can be set to"query"or"fragment". getTokenFromCodeRedirect would also need to be able to handle this kind of response.