Will Croteau created CXF-8414:
---------------------------------

             Summary: OAuth 2.0: authorize response_type order matters
                 Key: CXF-8414
                 URL: https://issues.apache.org/jira/browse/CXF-8414
             Project: CXF
          Issue Type: Bug
          Components: JAX-RS Security
    Affects Versions: 3.4.2
            Reporter: Will Croteau


Per the OAuth2 Specification:

If a response type contains one or more space characters (%x20), it
is compared as a space-delimited list of values in which the order of
values does not matter. Only one order of values can be registered,
which covers all other arrangements of the same set of values.

For example, the response type "token code" is left undefined by this
specification. However, an extension can define and register the
"token code" response type. Once registered, the same combination
cannot be registered as "code token", but both values can be used to
denote the same response type.

OidcImplicitService and OidcHybridService both support multiple response types, 
but require specific ordering. This is a violation of the OAuth2 specification.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to