OIDC response_mode broken

[Patryk Sondej]

In the CAS implementation of OIDC, there is an issue with the handling of the response_mode parameter. According to the OIDC documentation, when response_mode is set to form_post, the response should be returned in the form of a POST request. However, the current implementation returns the response in the fragment format regardless of the response_mode value.

Environment:

• CAS Version: 7.0.6
• OIDC Specification: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html

Steps to Reproduce:

1. Set the response_type to id_token.
2. Set the response_mode to form_post.
3. Perform an OIDC login request.

Expected Behavior:

According to the OIDC documentation, the response should be returned as a POST request when response_mode is set to form_post. The response should be delivered via an form POST, not as a URL fragment.

Actual Behavior:

Regardless of the response_mode value, the response is always returned as a URL fragment (#), instead of a POST request. This behavior is inconsistent with the OIDC documentation.

Additional Notes:

• The tests in your repository (e.g., oidc-debugger-idtoken-login script) currently check for the url.hash from the browser, which is not the correct behavior for response_mode=form_post. The correct behavior should involve checking for a POST form submission, not a URL fragment.

  Refer to the test script here: https://github.com/apereo/cas/blob/master/ci/tests/puppeteer/scenarios/oidc-debugger-idtoken-login/script.js#L28

[Béla Újházi]

Hey all!

I have the same conclusion as Patryk. I built a CAS 7.1.1 recently with a minimal set of overlays to actually try out form_post. Turns out, even though I get HTTP POST on my redirect url instead of an HTTP GET, but there is no data in the POST and the actual token value comes as an URL fragment. I don't have to point out that this feature should have added an extra security on a possible UI flow, but we can't use it then. I don't see if there is a proper CAS Initialzr to build 6.x.x, but I thought of trying that out, hopefully it is ok. Can anyone confirm if there is an existing CAS which works well with this response_mode?

[Jason Rocks]

I'm having the same issue.  Is there a fix for this?  

[Béla Újházi]

Hi all!

Is there possibly some update about this one? Without a fix for this, only an inferior workflow could be implemented by anybody, which is clearly not that secure. Specification clearly states http post and I'm not sure after all this time, but I think some documentation on CAS also implied that this should work like the standard.