response_mode=form_post SupportThis document describes a design to solve pinniped/#668 (Support for OIDC logins on hosts without a local web browser ("jump host")) by adding support for response_mode=form_post in the Pinniped Supervisor.
response_mode=form_post?The response_mode parameter is defined in OAuth 2.0 Multiple Response Type Encoding Practices. It is a counterpart to response_type which "informs the Authorization Server of the mechanism to be used for returning Authorization Response parameters from the Authorization Endpoint". The current behavior in Pinniped corresponds to response_mode=query, where the response is returned via an HTTP redirect with URL query parameters.
The meaning of response_mode=form_post is defined by OAuth 2.0 Form Post Response Mode. Instead of an HTTP redirect, the response parameters such as authorization code, state, and granted scopes are "encoded as HTML form values that are auto-submitted in the User Agent, and thus are transmitted via the HTTP POST method to the Client".
There is also a well known field in the OIDC discovery document to advertise supported response modes (response_modes_supported defined in OpenID Connect Discovery 1.0 incorporating errata set 1).
Fosite supports this functionality since November 2020 (fosite/#470). The default HTML template shows a minimal zero-interaction example of the response:
var FormPostDefaultTemplate = template.Must(template.New("form_post").Parse(`<html>
<head>
<title>Submit This Form</title>
</head>
<body onload="javascript:document.forms[0].submit()">
<form method="post" action="{{ .RedirURL }}">
{{ range $key,$value := .Parameters }}
{{ range $parameter:= $value}}
<input type="hidden" name="{{$key}}" value="{{$parameter}}"/>
{{end}}
{{ end }}
</form>
</body>
</html>`))
We can override this to provide our own HTML and JavaScript. We need to do a little bit of setup to tell Fosite that our pinniped-cli client is allowed to use this response type and that our authorization server is prepared to handle it.
form_post to support the "jump host" caseThe key observation of this design is that the HTML page in the response_mode=form_post response is also well-positioned to have extended behavior that allows for a choice of two login flows, selected dynamically by JavaScript:
Note that this server behavior is still 100% compatible with standard OIDC clients in the first case. The second case extends beyond the spec but follows other known examples (e.g., the Concourse fly login flow).
There are also corresponding changes to the pinniped login oidc command:
If the issuer advertises support for the form_post response mode (in OIDC discovery), then add response_mode=form_post as a extra parameter on the authorization request.
If form_post is selected:
The authorization code will now be copy-pasted by the user, which exposes it to being leaked by inadvertantly pasting it in the wrong window (e.g., Slack). However, this is well mitigated by several existing mechanisms:
These mechanisms also prevent a lot of possible phishing-style attacks.
or
or
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up
| Syntax | Example | Reference | |
|---|---|---|---|
| # Header | Header | 基本排版 | |
| - Unordered List |
|
||
| 1. Ordered List |
|
||
| - [ ] Todo List |
|
||
| > Blockquote | Blockquote |
||
| **Bold font** | Bold font | ||
| *Italics font* | Italics font | ||
| ~~Strikethrough~~ | |||
| 19^th^ | 19th | ||
| H~2~O | H2O | ||
| ++Inserted text++ | Inserted text | ||
| ==Marked text== | Marked text | ||
| [link text](https:// "title") | Link | ||
|  | Image | ||
| `Code` | Code |
在筆記中貼入程式碼 | |
| ```javascript var i = 0; ``` |
|
||
| :smile: |  |
Emoji list | |
| {%youtube youtube_id %} | Externals | ||
| $L^aT_eX$ | LaTeX | ||
| :::info This is a alert area. ::: |
This is a alert area. |
On a scale of 0-10, how likely is it that you would recommend HackMD to your friends, family or business associates?
Please give us some advice and help us improve HackMD.
Do you want to remove this version name and description?
Syncing
-
Any changes
Be notified of any changes
-
Mention me
Be notified of mention me
-
Unsubscribe
Subscribe