0

I've been working with IdentityServer3 for a little while now. I have hooked up some SPA applications, as well as some ASP.Net webform applications.

When I trace the networks calls in Fiddler, I sometimes see the Auth Token returned in the redirect url. Sometimes I see it returned in a form post.

How do I control this and specify how I want the auth token returned?

Chris
  • 1,690
  • 2
  • 17
  • 24

1 Answers1

1

This is controlled by the response_mode OIDC param.

https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html

https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html

Brock Allen
  • 7,385
  • 19
  • 24
  • In my web application, I'm using OWIN's UseOpenIdConnectAuthentication. My ResponseType is "code id_token token". I don't specifiy a response mode and accoriding to the doc referenced above, OAuth 2.0 Multiple Response Type Encoding Practices, the default should be in the fragement. However, IdentityServer3 is returning it in a form post. Does OWIN default the response mode to form post "under the hood"? – Chris Jun 22 '16 at 23:49
  • I just reinspected the url that OWIN constructs and they do indeed hardcode response_type=form_post. I wonder why they don't give us the option to specify it ourselves – Chris Jun 23 '16 at 00:34
  • You can change it in the `RedirectingToIdentityProvider` event on the protocol message property. – Brock Allen Jun 23 '16 at 12:45