simplesamlphp-module-oidc icon indicating copy to clipboard operation
simplesamlphp-module-oidc copied to clipboard

Published 20 hours ago verified publisher icon simplesamlphp

No support for HTTP POST method at Authorization Endpoint

Open cicnavi opened this issue 3 years ago • 2 comments

We currently support only HTTP GET method at Authorization Endpoint.

Per OIDC spec for authn request:

Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 2616 [RFC2616] at the Authorization Endpoint. Clients MAY use the HTTP GET or POST methods to send the Authorization Request to the Authorization Server. If using the HTTP GET method, the request parameters are serialized using URI Query String Serialization, per Section 13.1. If using the HTTP POST method, the request parameters are serialized using Form Serialization, per Section 13.2.

cicnavi avatar Feb 11 '22 08:02 cicnavi

Note that this is also needed to properly support automatic client registration functionality from OpenID Federation specification.

cicnavi avatar Aug 23 '24 08:08 cicnavi

This is addressed in v6 in PR https://github.com/simplesamlphp/simplesamlphp-module-oidc/pull/242.

However, this will have to be refactored in order to support 'request object' from core specification: https://openid.net/specs/openid-connect-core-1_0.html#RequestObject

cicnavi avatar Aug 26 '24 08:08 cicnavi