oidc icon indicating copy to clipboard operation
oidc copied to clipboard

Published 20 hours ago verified publisher icon zitadel

Support form_post OIDC response mode

Open TymanWasTaken opened this issue 1 year ago • 3 comments

Preflight Checklist

  • [X] I could not find a solution in the existing issues, docs, nor discussions
  • [X] I have joined the ZITADEL chat

Describe your problem

I was trying to setup Hocus on a local computer, and since I already use Zitadel for authentication for many other programs I host, I wanted to configure it to use my existing Zitadel self-hosted instance as its OIDC provider. However, after trying, it appears that Hocus uses id_token as its response type and form_post as its response mode. Using github search and looking through the Zitadel admin UI, I can see no way to enable form_post as a valid response mode, so I assume it isn't implemented anywhere. The only reference I can find is Apple's IDP implementation uses it, but that is for external OIDC, not OIDC handled by Zitadel.

Describe your ideal solution

The best solution to this would just be to implement form_post as a valid response mode in Zitadel OIDC applications, so applications can be configured to respond correctly to requests that ask for this response type. This would open up Zitadel to being used for both Hocus and any other programs that use form_post as their response mode.

Version

v2.42.10

Environment

Self-hosted

Additional Context

No response

TymanWasTaken avatar Jan 14 '24 18:01 TymanWasTaken

hei @livio-a @muhlemmer what do you think about this?

hifabienne avatar Jan 15 '24 07:01 hifabienne

The OpenID connect standard is this one: https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html

Instead to sending a typical redirect to the client's callback we would respond with a html <form> that auto-submits to the token endpoint. The form data holds the same data as the redirected URL would.

Overall complexity would be low to implement in OIDC. However, I don't see this being high priority at the moment.

I will migrate this to the OIDC repository as it needs to be implemented there.

muhlemmer avatar Jan 15 '24 10:01 muhlemmer

Thank you for sharing your idea. If there is a significant demand from customers/community, we will carefully consider implementing the feature. Currently, the issue will be added to our product backlog to collect feedback.

Meanwhile, if you're interested in implementing it yourself, we also welcome pull requests.

hifabienne avatar Jan 16 '24 07:01 hifabienne

@muhlemmer @livio-a Hey, I attempted an implementation of form_post as a trial. How does it look? Here it is #551.

ay4toh5i avatar Feb 25 '24 10:02 ay4toh5i