Identityserver4: Response Type "code" and Response Mode "fragment"

Created on 11 Sep 2018  路  3Comments  路  Source: IdentityServer/IdentityServer4

I try to integrate Che-ide to indentity server.

Che use following script

https://github.com/eclipse/che/blob/07263f1e30089689d71b057f747a44a29283e3c4/assembly/assembly-wsmaster-war/src/main/webapp/WEB-INF/classes/keycloak/OIDCKeycloak.js

It generate following url for login

http://192.168.99.1/core/connect/authorize?client_id=che-public&redirect_uri=http%3A%2F%2Fche-che.192.168.99.100.nip.io%2Fdashboard%2F&state=cf6ba053-8772-491e-95c5-ebab6f5df5e6&response_mode=fragment&response_type=code&scope=openid&nonce=a512567c-3b49-492a-967f-06108e7ca7e5

Identity server show an error that is "Invalid response_mode for flow"

You can see that response type is "code" and response mode "fragment".

Openid spec indicate
"For purposes of this specification, the default Response Mode for the OAuth 2.0 code Response Type is the query encoding"

https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes

Openid spec is not forbidden other response mode such as "fragment"

But Identity server doesn't allow this configuration.

https://github.com/IdentityServer/IdentityServer4/blob/75b1a660c3cab2580112e6e0288f3f6bed8189f9/src/Constants.cs#L79

question
Source
picture osmankibar

Most helpful comment

We don't because normally code flow is for server-side apps, and fragment is for JS-based browser apps.

But code flow isn't just for server-side apps. It's also used in native apps, and can be used in browser-based apps (it's even recommended now, according to your blog article). And as far as I can tell, there's nothing to prevent native apps from receiving the response as fragment (which is supposed to be more secure) rather than query. So wouldn't it make sense to allow this combination?

BTW, the error in this scenario is a bit strange: the error is unsupported_response_type, but the error description is Invalid response_mode. Is that intentional?

picture thomaslevesque on 16 Jan 2019
👍4

All 3 comments

But Identity server doesn't allow this configuration.

We don't because normally code flow is for server-side apps, and fragment is for JS-based browser apps.

brockallen picture brockallen on 11 Sep 2018

We don't because normally code flow is for server-side apps, and fragment is for JS-based browser apps.

But code flow isn't just for server-side apps. It's also used in native apps, and can be used in browser-based apps (it's even recommended now, according to your blog article). And as far as I can tell, there's nothing to prevent native apps from receiving the response as fragment (which is supposed to be more secure) rather than query. So wouldn't it make sense to allow this combination?

BTW, the error in this scenario is a bit strange: the error is unsupported_response_type, but the error description is Invalid response_mode. Is that intentional?

thomaslevesque picture thomaslevesque on 16 Jan 2019
👍4

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.

lock[bot] picture lock[bot] on 12 Jan 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

leksim picture leksim  路  3Comments
createroftheearth picture createroftheearth  路  3Comments
nukec picture nukec  路  3Comments
krgm03 picture krgm03  路  3Comments
osudude picture osudude  路  3Comments