In the CAS implementation of OIDC, there is an issue with the handling of the response_mode parameter. According to the OIDC documentation, when response_mode is set to form_post, the response should be returned in the form of a POST request. However, the current implementation returns the response in the fragment format regardless of the response_mode value.
*Environment:* - CAS Version: 7.0.6 - OIDC Specification: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html *Steps to Reproduce:* 1. Set the response_type to id_token. 2. Set the response_mode to form_post. 3. Perform an OIDC login request. *Expected Behavior:* According to the OIDC documentation, the response should be returned as a POST request when response_mode is set to form_post. The response should be delivered via an form POST, not as a URL fragment. *Actual Behavior:* Regardless of the response_mode value, the response is always returned as a URL fragment (#), instead of a POST request. This behavior is inconsistent with the OIDC documentation. *Additional Notes:* - The tests in your repository (e.g., oidc-debugger-idtoken-login script) currently check for the url.hash from the browser, which is not the correct behavior for response_mode=form_post. The correct behavior should involve checking for a POST form submission, not a URL fragment. Refer to the test script here: https://github.com/apereo/cas/blob/master/ci/tests/puppeteer/scenarios/oidc-debugger-idtoken-login/script.js#L28 -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/94f37d5f-7be3-496f-80e7-fcea09554cd5n%40apereo.org.
