Open CrowdHailer opened 4 years ago
I’m afraid that in order to certify for code profile you must support query, in order to certify for the implicit and hybrid profiles, you must support fragment.
Ok, thanks for the quick response. I guess if I must support it there is no harm in most of the tests being done with a query response mode.
Is it the case that every test that is checking for calls to the authz_cb
simply forwards the content to the authz_post
endpoint?
I was seeing this output in my browser logs
Navigated to https://op-test:60001/authz_cb
[Violation] Forced reflow while executing JavaScript took 75ms
Navigated to https://op-test:60001/authz_post
I've curl'd the response from the first endpoint and get the following.
<!DOCTYPE html>
<html>
<head>
<title>OpenID Certification OP Test</title>
</head>
<body onload="document.forms[0].submit()">
<form class="repost" action="authz_post" method="post">
<input type="hidden" name="fragment" id="frag" value="x"/>
<script type="text/javascript">
if (window.location.hash) {
var hash = window.location.hash.substring(1); //Puts hash in variable, and removes the # character
document.getElementById("frag").value = hash;
}
</script>
</form>
</body>
</html>
This seems to forward fragments, but not query strings?
Our service, currently only supports the form_post response mode. From the form post spec
We therefore decided to only support this response mode. Is there anywhere that says that a OP must support query/fragment responses. And if not would making this configurable be acceptable?