Will Croteau created CXF-8414:
---------------------------------
Summary: OAuth 2.0: authorize response_type order matters
Key: CXF-8414
URL: https://issues.apache.org/jira/browse/CXF-8414
Project: CXF
Issue Type: Bug
Components: JAX-RS Security
Affects Versions: 3.4.2
Reporter: Will Croteau
Per the OAuth2 Specification:
If a response type contains one or more space characters (%x20), it
is compared as a space-delimited list of values in which the order of
values does not matter. Only one order of values can be registered,
which covers all other arrangements of the same set of values.
For example, the response type "token code" is left undefined by this
specification. However, an extension can define and register the
"token code" response type. Once registered, the same combination
cannot be registered as "code token", but both values can be used to
denote the same response type.
OidcImplicitService and OidcHybridService both support multiple response types,
but require specific ordering. This is a violation of the OAuth2 specification.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)