Thank you for posting this in Microsoft Q&A.
I understand that you want to understand how response_mode of form-post works in OpenId Connect.
My guess is that the authorization server will send back some text/javascript or html with javascript in it to the browser and then send a post request to the redirect uri with the ID token.
The authorization server does not send a JavaScript response to the browser. Instead, it sends a simple HTML form that the browser can submit automatically.
OAuth 2.0 Form Post Response Mode with response_type=id_token&response_mode=form_post
. Due to the response_type=id_token
request parameter, the response contains the ID Token directly, instead of the authorization code, while the response_mode=form_post
encodes the ID Token with the rest of the Authorization Response parameters as HTML form values that are auto submitted in the User Agent. This way you can have an optimized authentication flow (no need to exchange the code for an ID Token). This approach ensures that the id_token
is sent securely to the web server without exposing it to the user or any malicious scripts.
Hope this helps. Do let us know if you any further queries.
Thanks,
Navya.
If this answers your query, do click Accept Answer
and Yes
for was this answer helpful. And, if you have any further query do let us know.