Hi all! Is there possibly some update about this one? Without a fix for this, only an inferior workflow could be implemented by anybody, which is clearly not that secure. Specification clearly states http post and I'm not sure after all this time, but I think some documentation on CAS also implied that this should work like the standard. Jason Rocks a következőt írta (2025. január 21., kedd, 4:57:25 UTC+1):
> I'm having the same issue. Is there a fix for this? > > On Sunday, August 4, 2024 at 8:06:24 AM UTC-6 Patryk Sondej wrote: > >> In the CAS implementation of OIDC, there is an issue with the handling of >> the response_mode parameter. According to the OIDC documentation, when >> response_mode is set to form_post, the response should be returned in the >> form of a POST request. However, the current implementation returns the >> response in the fragment format regardless of the response_mode value. >> >> *Environment:* >> >> - CAS Version: 7.0.6 >> - OIDC Specification: >> https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html >> >> *Steps to Reproduce:* >> >> 1. Set the response_type to id_token. >> 2. Set the response_mode to form_post. >> 3. Perform an OIDC login request. >> >> *Expected Behavior:* >> >> According to the OIDC documentation, the response should be returned as a >> POST request when response_mode is set to form_post. The response should be >> delivered via an form POST, not as a URL fragment. >> >> *Actual Behavior:* >> >> Regardless of the response_mode value, the response is always returned as >> a URL fragment (#), instead of a POST request. This behavior is >> inconsistent with the OIDC documentation. >> >> *Additional Notes:* >> >> - >> >> The tests in your repository (e.g., oidc-debugger-idtoken-login >> script) currently check for the url.hash from the browser, which is not >> the >> correct behavior for response_mode=form_post. The correct behavior should >> involve checking for a POST form submission, not a URL fragment. >> >> Refer to the test script here: >> >> https://github.com/apereo/cas/blob/master/ci/tests/puppeteer/scenarios/oidc-debugger-idtoken-login/script.js#L28 >> >> >> -- - Website: https://apereo.github.io/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/c1b243b7-bc31-4239-8172-8a0200b7c1cdn%40apereo.org.
