The Microsoft.Owin.Security.OpenIdConnect middleware exclusively supports the
response mode for handling response messages. While the
OpenID Connect v1.0 specifications
support 2 more response modes.
which is intended for being handled by the browser. And
which can be handled on either the browser or the server.
For compliance sake this response mode (in spite of it's size limitations) should be implemented.
Which should not be that different from the
support currently available.
protected override async Task<AuthenticationTicket> AuthenticateCoreAsync()
already seems to be sufficient.
// Also support the query response mode.
else if (string.Equals(Request.Method, "GET", StringComparison.OrdinalIgnoreCase) &&
Request.Query.Any(q => q.Key == "id_token"))
openIdConnectMessage = new OpenIdConnectMessage(Request.Query);