OAuth2 and OpenID Connect with WSO2 IS - Part 15

Form Post Response


2 min read

🧬 Introduction

Form Post Response mode is an additional response mode defined by the OAuth2.0 specification which allows Authorization Response parameters to be sent to clients as HTML form values via an HTTP POST request.

Normally, if you are using the Authorization Code grant, it sends you a query parameter named code. But if the form post-response mode is used, instead of sending the requested response parameters as a part of the redirect URL, the IdP generates an HTML form with the response parameters added as hidden HTML elements and sends it to the client using the HTTP POST method.

The form post-response mode has been introduced to address the security concerns related to sending parameters in the URL. By using the form post-response mode, these values will be encoded as HTML form values and sent in the body of a POST request.

🧪 Testing Form Post Response Mode with WSO2 IS

First, you need to create a Service Provider(SP) in WSO2 IS and use the Apache-Tomcat server to configure it. We have discussed how to create Service Providers thoroughly in this series, so I am not going to repeat the same. You can check the series to learn how to create SPs in WSO2 IS.

After configuring the SP, you can paste the following URL in the browser. Note the parameter, response_mode=form_post

  • URL format

    ↳ https://<IS_HOST>:<IS_PORT>/oauth2/authorize?client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=openid&response_type=code&response_mode=form_post

  • Sample URL

    ↳ https://localhost:9443/oauth2/authorize?client_id=provided_client_id0001&redirect_uri=http://localhost:8080/playground2/oauth2client&scope=openid&response_type=code&response_mode=form_post

Use the default username(admin) and password(admin) to authenticate.

You will notice that you are not getting the Authorization Code in the URL as a parameter (code) and instead, you will have a POST method for the /ouath2client endpoint with the payload containing the Authorization Code.

Form post method can be used with all the response types,

  • code

  • token

  • code id_token

  • code token

  • id_token token

  • code id_token token

As we mentioned earlier, code is used for the Authorization Code Flow, id_token , token , id_token token is used for the Implicit Grant Flow, and code id_token , code token, code id_token token is used for the Hybrid Flow.

So this is it regarding the usage of form post response in OAuth. And this is the end of the series OAuth2 and OpenID Connect with WSO2 IS. Happy reading!

📚 References