Share via

OpenId Connect with response_mode of form-post

Karl Gardner 185 Reputation points
2024-09-30T01:21:12.1866667+00:00

Hello,

I am trying to learn more about the Open Id Connect protocol and have read through the documentation for it. However, I'm confused on one part of it. Specifically this step of it:
User's image

Let's say we were using form-post for the response_mode query parameter. After the user consents to permissions how would the authorization server send the id_token to the browser and then redirect with a post to the web server? My guess is that the authorization server will send back some text/javascript or html with javascript in it to the browser and then send a post request to the redirect uri with the ID token.

As the diagram shows that after the user consents to permissions it goes back to the authorize endpoint so the authorization server has to send something back to the browser.

Thanks,

Karl

Microsoft Identity Manager
Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
695 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
21,652 questions
0 comments
Accepted answer
  1. Navya 10,540 Reputation points Microsoft Vendor
    2024-09-30T15:46:53.7233333+00:00

    Hi @Karl Gardner

    Thank you for posting this in Microsoft Q&A.

    I understand that you want to understand how response_mode of form-post works in OpenId Connect.

    My guess is that the authorization server will send back some text/javascript or html with javascript in it to the browser and then send a post request to the redirect uri with the ID token.

    The authorization server does not send a JavaScript response to the browser. Instead, it sends a simple HTML form that the browser can submit automatically.

    OAuth 2.0 Form Post Response Mode with response_type=id_token&response_mode=form_post. Due to the response_type=id_token request parameter, the response contains the ID Token directly, instead of the authorization code, while the response_mode=form_post encodes the ID Token with the rest of the Authorization Response parameters as HTML form values that are auto submitted in the User Agent. This way you can have an optimized authentication flow (no need to exchange the code for an ID Token). This approach ensures that the id_token is sent securely to the web server without exposing it to the user or any malicious scripts.

    Hope this helps. Do let us know if you any further queries.

    Thanks,

    Navya.

    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.