Response Mode - OAuth Authentication
Every OAuth relying party can define its own required response mode:
1
2
3
4
5
6
7
8
9
10
11
{
"@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
"clientId": "clientid",
"clientSecret": "clientSecret",
"serviceId" : "^(https|imaps)://<redirect-uri>.*",
"name" : "OAuthService",
"id" : 100,
"supportedGrantTypes": [ "java.util.HashSet", [ "...", "..." ] ],
"supportedResponseTypes": [ "java.util.HashSet", [ "...", "..." ] ]
"responseMode": "..."
}
Response mode variations allow CAS to alter the mechanism used for returning responses back to the client.
-
The
query
authorization response parameters are included in the query component of the redirect URI as query parameters.1
https://example.com/cb?code=SplxlOBeZQQYbYS6WxSbIA&state=xyz
In the above example,
code
andstate
are the authorization response parameters included in the query component of the URI.This response mode is commonly used in front-channel communication, where the authorization response is sent back to the client through the user’s browser.
-
The
fragment
authorization response parameters are included in the fragment component of the redirect URI. The fragment component is the part of the URI that comes after the#
symbol. For example:1
https://example.com/cb#access_token=SlAV32hkKG&token_type=bearer&expires_in=3600&state=xyz
This response mode is often used when the communication between the client and CAS occurs in a front-channel where JavaScript can access the fragment of the URI.
-
In
form_post
response mode, CAS sends the response parameters as HTML form parameters in the body of an HTTPPOST
request. This request is submitted by the client browser and is sent to the client’s redirection URI.1 2 3 4 5 6 7 8 9
<html> <body onload="document.oauth.submit();" style="display:none"> <form name="oauth" action="https://client.example.com/cb" method="post"> <input type="hidden" name="code" value="SplxlOBeZQQYbYS6WxSbIA"> <input type="hidden" name="state" value="xyz"> <input type="submit" value="Continue"> </form> </body> </html>
Browser SupportNeedless to say, this response mode requires the client browser to support and enable Javascript so the HTML form can be automatically and invisibly submitted.
The response mode is useful when a secure front-channel communication is required, and the client is capable of receiving and processing
POST
requests.