You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
If authorization request contains &response_mode=form_post parameter, callback can't be a GET redirection. This also decrease security due authorization_code travels in the url.
Describe the bug
If authorization request contains &response_mode=form_post parameter, callback can't be a GET redirection. This also decrease security due authorization_code travels in the url.
To Reproduce
Initiate authorization with following url: http://auth-server:8091/oauth2/authorize?client_id=articles-client&response_type=code&response_mode=form_post&redirect_uri=http%3A%2F%2Fappgw%3A8081%2Fapi%2Flogin&state=asdfasdfadf&scope=articles-client+offline_access+openid
appgw:8081/api/login accepts only POST method.
No form_post send back to client.
Expected behavior
callback need to be called in POST method and code and state need to be in hidden form parameters
https://auth0.com/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post
Sample
Any sample can be used with this extra parameter. A call back need to reject GET calls.
The text was updated successfully, but these errors were encountered: