Skip to content

Not handled correctly response_mode form_post #1241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
fejpet opened this issue May 28, 2023 · 1 comment
Closed

Not handled correctly response_mode form_post #1241

fejpet opened this issue May 28, 2023 · 1 comment
Assignees
Labels
status: duplicate A duplicate of another issue

Comments

@fejpet
Copy link

fejpet commented May 28, 2023

Describe the bug
If authorization request contains &response_mode=form_post parameter, callback can't be a GET redirection. This also decrease security due authorization_code travels in the url.

To Reproduce
Initiate authorization with following url: http://auth-server:8091/oauth2/authorize?client_id=articles-client&response_type=code&response_mode=form_post&redirect_uri=http%3A%2F%2Fappgw%3A8081%2Fapi%2Flogin&state=asdfasdfadf&scope=articles-client+offline_access+openid

appgw:8081/api/login accepts only POST method.

No form_post send back to client.

Expected behavior
callback need to be called in POST method and code and state need to be in hidden form parameters
https://auth0.com/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post

Sample
Any sample can be used with this extra parameter. A call back need to reject GET calls.

@fejpet fejpet added the type: bug A general bug label May 28, 2023
@jgrandja
Copy link
Collaborator

Closing as duplicate of gh-207

@jgrandja jgrandja self-assigned this May 30, 2023
@jgrandja jgrandja added status: duplicate A duplicate of another issue and removed type: bug A general bug labels May 30, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Development

No branches or pull requests

2 participants