This project has moved. For the latest updates, please go here.
1

Closed

Query response mode not supported in OpenIDConnect

description

The Microsoft.Owin.Security.OpenIdConnect middleware exclusively supports the form_post response mode for handling response messages. While the OpenID Connect v1.0 specifications support 2 more response modes. fragment which is intended for being handled by the browser. And query which can be handled on either the browser or the server.

For compliance sake this response mode (in spite of it's size limitations) should be implemented.
Which should not be that different from the form_post support currently available.

Adding into protected override async Task<AuthenticationTicket> AuthenticateCoreAsync(), of OpenidConnectAuthenticationHandler.cs already seems to be sufficient.
// Also support the query response mode.
else if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase) &&
    Request.Query.Any(q => q.Key == "id_token"))
{
    openIdConnectMessage = new OpenIdConnectMessage(Request.Query);
}
Closed Mar 2 at 9:39 PM by mgirgin

comments

Tratcher wrote Dec 8, 2015 at 3:59 PM

FYI: Development of this component has moved to https://github.com/aspnet/security, where the query mode has already been implemented.