Not handled correctly response_mode form_post #1241
Assignees
Labels
status: duplicate
A duplicate of another issue
Comments
|
Closing as duplicate of gh-207 |
jgrandja
added
status: duplicate
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
If authorization request contains &response_mode=form_post parameter, callback can't be a GET redirection. This also decrease security due authorization_code travels in the url.
To Reproduce
Initiate authorization with following url: http://auth-server:8091/oauth2/authorize?client_id=articles-client&response_type=code&response_mode=form_post&redirect_uri=http%3A%2F%2Fappgw%3A8081%2Fapi%2Flogin&state=asdfasdfadf&scope=articles-client+offline_access+openid
appgw:8081/api/login accepts only POST method.
No form_post send back to client.
Expected behavior
callback need to be called in POST method and code and state need to be in hidden form parameters
https://auth0.com/docs/get-started/authentication-and-authorization-flow/implicit-flow-with-form-post
Sample
Any sample can be used with this extra parameter. A call back need to reject GET calls.
The text was updated successfully, but these errors were encountered: