Implicit flow with post form should allow id_token only as response_type

indigo-iam / iam

INDIGO Identity and Access Management Service

https://indigo-iam.github.io/

Other

99 stars 43 forks source link

Implicit flow with post form should allow id_token only as response_type #598

Open chaen opened 1 year ago

chaen commented 1 year ago

As shown by PR https://github.com/indigo-iam/iam/pull/597 where I update the test, using only id_token as response_type does not work. Can these please be addressed ? Thanks a lot !

rmiccoli commented 1 year ago

Hi, the implicit flow is not fully supported and this comes from the MitreID Connect library (see https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1226).

Moreover, the implicit flow will be deprecated and public clients will have to use the authorization code flow with PKCE extension.

chaen commented 1 year ago

Moreover, the implicit flow will be deprecated and public clients will have to use the authorization code flow with PKCE extension.

The implicit flow with Form Post must not be deprecated because it does not suffer the same security flaw as the original specification. Please see https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html

chaen commented 1 year ago

Oh and btw, we just noticed that the response_mode=form_post is not respected, and we only ever get the tokens as response_mode=fragment

rmiccoli commented 6 months ago

Demonstration of this issue here #597. We'll fix it.