This project has moved. For the latest updates, please go here.


Query response mode not supported in OpenIDConnect


The Microsoft.Owin.Security.OpenIdConnect middleware exclusively supports the form_post response mode for handling response messages. While the OpenID Connect v1.0 specifications support 2 more response modes. fragment which is intended for being handled by the browser. And query which can be handled on either the browser or the server.

For compliance sake this response mode (in spite of it's size limitations) should be implemented.
Which should not be that different from the form_post support currently available.

Adding into protected override async Task<AuthenticationTicket> AuthenticateCoreAsync(), of OpenidConnectAuthenticationHandler.cs already seems to be sufficient.
// Also support the query response mode.
else if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase) &&
    Request.Query.Any(q => q.Key == "id_token"))
    openIdConnectMessage = new OpenIdConnectMessage(Request.Query);
Closed Mar 2 at 10:39 PM by mgirgin


Tratcher wrote Dec 8, 2015 at 4:59 PM

FYI: Development of this component has moved to, where the query mode has already been implemented.