form_post response_mode #1591
Comments
|
This response mode is exotic and to my knowledge used in legacy scenarios.
That's only true for the implicit flow. However, Hydra supports more modern (and appropriate flows) like Authorization Code + PKCE which are recommended for all (or client side) native applications. All HTLM5 capable browsers can handle this flow. |
|
No it's not only true for implicit flow. For all flows that respond with id_token the response_mode will be fragment. And I'm not talking about browser support for fragments. That's ofcource not issue. Issue is that we are developing a desktop application which for the authentication uses users system browser (like recommended in spec AFAIK) to get the response. But It's not possible to programmatically read URL fragment from browser. Just to illustrate the problem have a look at the IdentityModel.OidcClient sample: https://github.com/IdentityModel/IdentityModel.OidcClient.Samples/blob/master/ConsoleSystemBrowser/ConsoleSystemBrowser/Program.cs |
Yes, because that's the hybrid flow which uses the fragment (based on top of implicit flow). You can get the id token with Authorize Code + PKCE though too, which is the most secure way to date in which is recommended for native applications. |
|
How is id_token returned there? I don't see the possibility of it being returned as GET parameter as this is insecure (that's why fragment is used). Also IdentityModel.OidcClient library that we planned to use does not seem to allow Auth Code + PKCE flow without id_token (which would be fine for our usecase). I created an issue on their repository on that: IdentityModel/IdentityModel.OidcClient#160 . So currently I have no idea how to implement OAuth2 or OIDC in our desktop app with PKCE. If someone has any suggestions on libraries etc then it would be helpful also. But I think adding form_post response_mode support would be the best scenario as it would make this server work in much wider usecases. |
|
The Authorization Code Exchange returns the ID Token (if requested), that's absolutely standard and highly secure and recommended. Here's an example: https://developer.okta.com/docs/guides/implement-auth-code/exchange-code-token/ |
|
@aeneasr Hydra will not respond with id_token in my testcase when I'm using Auth Code + PKCE. You mean to tell me it should? |
|
Yes of course it does, that's extremely well tested and even certified by the OpenID foundation. |
|
I think I have mixed up OAuth2 an OIDC flows in my head already. I was talking about OIDC AuthorizationCode flow. Which looks like that: Request sent to server from my application: Response I get to the redirect_uri: This does not include id_token (and this is correct I assume then?). Anyway it seems I just can't use Btw. Thenk you for your time. You have been very helpful on clearing things out once again. PS! I still think form_post method is a needed feature in Hydra. I don't think I'm only one struggling with this. |
Please read how the auth code flow works, as pointed out above, here: https://developer.okta.com/docs/guides/implement-auth-code/exchange-code-token/ You get the ID Token in the response of the exchange. Only because it isn't visible in the URL doesn't mean it's not there... Keep in mind that you as with all OIDC flows need to explicitly request and authorize the openid scope.
I don't know as I've never used that library, but any decent OIDC / OAuth2 library supports fetching the ID Token using the regular (and most commonly used) Authorize Code Flow because that is the standard and most secure way of retrieving access, refresh, and ID tokens, period.
I disagree because this is only useful in legacy scenarios where browsers/clients did not have the ability to properly route requests without hashtags (IE9?). This has changed years ago and all browsers now support this rudimental HTML5 feature. Adding this feature won't improve the state of things but it will require us to do another round of certification with the OpenID Foundation with very, very, very limited upsides. What you're trying to achieve (get an ID token for a native client) is absolutely possible and something very standard that is extremely easy to achieve using regular Authorize Code Flow. Maybe it would be a good idea to take another look at the video from our documentation: |
|
There are two separate issues that I try to explain clearly - just to be sure we both understand things correctly. First issue Second issue I could not find a way to get id_token as GET parameter in OIDC flow. it always comes back as URL fragment (as it should). And now I'm in total standstill because I can't find a way to use OIDC in desktop application because I can't access URL fragment and Hydra also does not support form_post response. Now my only hope I think is to stop using OIDC alltogether and try to find OAuth2 library that knows how to use PKCE flow to use in my desktop application. Haven't had any luck with that right now (maybe havent tried hard enough). Seems like I need to implement the whole client side myself - which does not seem like a good idea. |
I said:
|
|
Regarding C#, I have no idea as I do not write Windows Desktop Applications, but I'm sure you're not the first one with this issue. From Google Search results: https://www.scottbrady91.com/OpenID-Connect/ASPNET-Core-using-Proof-Key-for-Code-Exchange-PKCE |
|
On top of that, by quickly checking the code on GitHub, IdentityModel supports the authorization code flow: https://github.com/IdentityModel/IdentityModel.OidcClient/blob/635a2051e304b744e3a31eb33c40ccca3728caf2/clients/ConformanceTests/Helper.cs |
So you mean this request should respond with id_token? I dont see it in query or not even in body of response.
Yes exactly. And as you can read from there they are also using form_post response_mode. That's exactly why I also need this response_mode. This flow does not work without it on desktop app AFAIK.
Yes I know. I have tried to use it (example request in this post is also made with this flow) and it's not working because IdentityModel needs id_token in the response but it's not in the response. |
|
I'm sorry but we have to cut this discussion short after my reply, as we're going in circles and I believe that I've answered the questions sufficiently. From my point of view, your use case can be solved with the tools Hydra provides and the current wall being hit is more related to missing puzzle pieces with regards to how OpenID Connect works and/or how Hydra's APIs work.
When you exchange the code you will get an ID Token back, but only if you make sure that: a) the scope
This is, again, most likely related to what I've said already:
I will be closing this issue because I have not found sufficient evidence that the response mode Please, read over the documentation again. I believe that everything is laid out in much detail and that there are sufficient materials on how all of this works. If you find concrete proof or evidence to the contrary of my findings please feel free to comment or request to reopen this issue. But again, all of this works, and to the best of my knowledge with the tools you're using, with more secure flows, without the need form our side to implement something that's really legacy and that will add no additional benefit. |
Thank you. This was the part I was missing somehow in current test case. Thanks for all the time you wasted on me. It was really helpful. |
ghost
mentioned this issue
|
See #1621 for followup. |
OIDC implementation is missing form_post response_mode currently. This makes developing a desktop application with OIDC kind of impossible currently.
That's because id_token request will be sent back as URL fragment. That in turn can't be read from system browser through HttpListener.
Spec: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
The text was updated successfully, but these errors were encountered: