OIDC response_mode= form_post

OIDC response_mode= form_post

我正在实施 response_mode=form_post,我想知道这种模式可能 response_types 是什么。

我在一些地方看到它支持response_type=代码,response_type=id_token。 (仅限登录案例)。当返回 access_token 时,类型为 id_token token ,我们可以使用 form_post 吗?

response_mode 控制令牌如何交付给客户端,如果您使用 response_mode=form_post 则通过自动提交的 form-post 由身份提供者生成。如果您不提供,您将通过 查询字符串 获得令牌。 据我所知,没有更多的选择了。

基本上,response_mode 定义了如何将令牌 (ID/Access/refresh) 交付给您的客户。

根据规范 here:

它说:

此规范定义了表单 Post 响应模式,其描述为 response_mode 参数值:

In this mode, Authorization Response parameters are encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client, with the result parameters being encoded in the body using the application/x-www-form-urlencoded format. The action attribute of the form MUST be the Client's Redirection URI. The method of the form attribute MUST be POST. Because the Authorization Response is intended to be used only once, the Authorization Server MUST instruct the User Agent (and any intermediaries) not to store or reuse the content of the response.

Any technique supported by the User Agent MAY be used to cause the submission of the form, and any form content necessary to support this MAY be included, such as submit controls and client-side scripting commands. However, the Client MUST be able to process the message without regard for the mechanism by which the form submission was initiated.

https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html

您可以将任何响应类型与 form_post 响应模式一起使用。 The specification 定义了应与给定响应类型一起使用的默认响应模式,但 form_post 的规范并未将其使用限制在某些 response_type 情况下。

不过,这对您的实施应该没有任何影响。你应该只接受授权服务器返回的表单并提交它,就像你在页面上提交任何其他 HTML 表单一样。因此,表单中的内容对您来说并不重要,无论如何操作 URL 都应该在表单中。