diff --git a/docs/docs/apis/openidoauth/endpoints.mdx b/docs/docs/apis/openidoauth/endpoints.mdx
index d5828ac6f9..10b6709f19 100644
--- a/docs/docs/apis/openidoauth/endpoints.mdx
+++ b/docs/docs/apis/openidoauth/endpoints.mdx
@@ -104,6 +104,22 @@ no additional parameters required
| prompt | If the Auth Server prompts the user for (re)authentication.
no prompt: the user will have to choose a session if more than one session exists
`none`: user must be authenticated without interaction, an error is returned otherwise
`login`: user must reauthenticate / provide a user name
`select_account`: user is prompted to select one of the existing sessions or create a new one
`create`: the registration form will be displayed to the user directly |
| state | Opaque value used to maintain state between the request and the callback. Used for Cross-Site Request Forgery (CSRF) mitigation as well, therefore highly **recommended**. |
| ui_locales | Spaces delimited list of preferred locales for the login UI, e.g. `de-CH de en`. If none is provided or matches the possible locales provided by the login UI, the `accept-language` header of the browser will be taken into account. |
+| response_mode | The mechanism to be used for returning parameters to the application. See [response modes](#response-modes) for valid values. Invalid values are ignored. |
+
+#### Response modes
+
+ZITADEL supports the following `response_mode` values. When no response mode is requested, the response mode is choosen based on the configured Response Type of the application.
+As per [OpenID Connect Core 1.0, Section 3.1.2.1](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest):
+
+> The use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type.
+
+| Response Mode | Description |
+| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| query | Encode the returned parameters in the URL query string. This is the default when the Response type is `code`, for example [Web applications](/docs/guides/manage/console/applications#web). |
+| fragment | Encode the returned parameters in the URL fragment. This is the default when the Response Type is `id_token`, for example implicit [User Agent apps](/docs/guides/manage/console/applications#user-agent). This mode will not work for server-side applications, because fragments are never sent by the browser to the server. |
+| form_post[^1] | ZITADEL serves a small JavaScript to the browser which will send the returned parameters to the `redirect_uri` using HTTP POST. This mode only works for server-side applications and user agents which support / allow JavaScript. |
+
+[^1]: Implements [OAuth 2.0 Form Post Response Mode](https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html)
### Successful code response
diff --git a/internal/api/oidc/auth_request.go b/internal/api/oidc/auth_request.go
index 5d23a8bd98..5053f7c1af 100644
--- a/internal/api/oidc/auth_request.go
+++ b/internal/api/oidc/auth_request.go
@@ -75,6 +75,7 @@ func (o *OPStorage) createAuthRequestLoginClient(ctx context.Context, req *oidc.
Audience: audience,
NeedRefreshToken: slices.Contains(scope, oidc.ScopeOfflineAccess),
ResponseType: ResponseTypeToBusiness(req.ResponseType),
+ ResponseMode: ResponseModeToBusiness(req.ResponseMode),
CodeChallenge: CodeChallengeToBusiness(req.CodeChallenge, req.CodeChallengeMethod),
Prompt: PromptToBusiness(req.Prompt),
UILocales: UILocalesToBusiness(req.UILocales),
diff --git a/internal/api/oidc/auth_request_converter.go b/internal/api/oidc/auth_request_converter.go
index 9a1aee2aa4..cd52cdbe58 100644
--- a/internal/api/oidc/auth_request_converter.go
+++ b/internal/api/oidc/auth_request_converter.go
@@ -6,6 +6,7 @@ import (
"strings"
"time"
+ "github.com/zitadel/logging"
"github.com/zitadel/oidc/v3/pkg/oidc"
"github.com/zitadel/oidc/v3/pkg/op"
"golang.org/x/text/language"
@@ -75,7 +76,7 @@ func (a *AuthRequest) GetResponseType() oidc.ResponseType {
}
func (a *AuthRequest) GetResponseMode() oidc.ResponseMode {
- return ""
+ return ResponseModeToOIDC(a.oidc().ResponseMode)
}
func (a *AuthRequest) GetScopes() []string {
@@ -121,6 +122,7 @@ func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest,
Request: &domain.AuthRequestOIDC{
Scopes: authReq.Scopes,
ResponseType: ResponseTypeToBusiness(authReq.ResponseType),
+ ResponseMode: ResponseModeToBusiness(authReq.ResponseMode),
Nonce: authReq.Nonce,
CodeChallenge: CodeChallengeToBusiness(authReq.CodeChallenge, authReq.CodeChallengeMethod),
},
@@ -232,6 +234,27 @@ func ResponseTypeToOIDC(responseType domain.OIDCResponseType) oidc.ResponseType
}
}
+// ResponseModeToBusiness returns the OIDCResponseMode enum value from the domain package.
+// An empty or invalid value defaults to unspecified.
+func ResponseModeToBusiness(responseMode oidc.ResponseMode) domain.OIDCResponseMode {
+ if responseMode == "" {
+ return domain.OIDCResponseModeUnspecified
+ }
+ out, err := domain.OIDCResponseModeString(string(responseMode))
+ logging.OnError(err).Debugln("invalid oidc response_mode, using default")
+ return out
+}
+
+// ResponseModeToOIDC return the oidc string representation of the enum value from the domain package.
+// When responseMode is `0 - unspecified`, an empty string is returned.
+// This allows the oidc package to pick the appropriate response mode based on the response type.
+func ResponseModeToOIDC(responseMode domain.OIDCResponseMode) oidc.ResponseMode {
+ if responseMode == domain.OIDCResponseModeUnspecified || !responseMode.IsAOIDCResponseMode() {
+ return ""
+ }
+ return oidc.ResponseMode(responseMode.String())
+}
+
func CodeChallengeToBusiness(challenge string, method oidc.CodeChallengeMethod) *domain.OIDCCodeChallenge {
if challenge == "" {
return nil
diff --git a/internal/api/oidc/auth_request_converter_test.go b/internal/api/oidc/auth_request_converter_test.go
new file mode 100644
index 0000000000..b35d519661
--- /dev/null
+++ b/internal/api/oidc/auth_request_converter_test.go
@@ -0,0 +1,96 @@
+package oidc
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ "github.com/zitadel/oidc/v3/pkg/oidc"
+
+ "github.com/zitadel/zitadel/internal/domain"
+)
+
+func TestResponseModeToBusiness(t *testing.T) {
+ type args struct {
+ responseMode oidc.ResponseMode
+ }
+ tests := []struct {
+ name string
+ args args
+ want domain.OIDCResponseMode
+ }{
+ {
+ name: "empty",
+ args: args{""},
+ want: domain.OIDCResponseModeUnspecified,
+ },
+ {
+ name: "invalid",
+ args: args{"foo"},
+ want: domain.OIDCResponseModeUnspecified,
+ },
+ {
+ name: "query",
+ args: args{oidc.ResponseModeQuery},
+ want: domain.OIDCResponseModeQuery,
+ },
+ {
+ name: "fragment",
+ args: args{oidc.ResponseModeFragment},
+ want: domain.OIDCResponseModeFragment,
+ },
+ {
+ name: "post_form",
+ args: args{oidc.ResponseModeFormPost},
+ want: domain.OIDCResponseModeFormPost,
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ got := ResponseModeToBusiness(tt.args.responseMode)
+ assert.Equal(t, tt.want, got)
+ })
+ }
+}
+
+func TestResponseModeToOIDC(t *testing.T) {
+ type args struct {
+ responseMode domain.OIDCResponseMode
+ }
+ tests := []struct {
+ name string
+ args args
+ want oidc.ResponseMode
+ }{
+ {
+ name: "unspecified",
+ args: args{domain.OIDCResponseModeUnspecified},
+ want: "",
+ },
+ {
+ name: "invalid",
+ args: args{99},
+ want: "",
+ },
+ {
+ name: "query",
+ args: args{domain.OIDCResponseModeQuery},
+ want: oidc.ResponseModeQuery,
+ },
+ {
+ name: "fragment",
+ args: args{domain.OIDCResponseModeFragment},
+ want: oidc.ResponseModeFragment,
+ },
+ {
+ name: "form_post",
+ args: args{domain.OIDCResponseModeFormPost},
+ want: oidc.ResponseModeFormPost,
+ },
+ }
+ for _, tt := range tests {
+ t.Run(tt.name, func(t *testing.T) {
+ got := ResponseModeToOIDC(tt.args.responseMode)
+ assert.Equal(t, tt.want, got)
+ })
+ }
+}
diff --git a/internal/api/oidc/auth_request_converter_v2.go b/internal/api/oidc/auth_request_converter_v2.go
index 3a35b01578..cfd516caff 100644
--- a/internal/api/oidc/auth_request_converter_v2.go
+++ b/internal/api/oidc/auth_request_converter_v2.go
@@ -53,7 +53,7 @@ func (a *AuthRequestV2) GetResponseType() oidc.ResponseType {
}
func (a *AuthRequestV2) GetResponseMode() oidc.ResponseMode {
- return ""
+ return ResponseModeToOIDC(a.ResponseMode)
}
func (a *AuthRequestV2) GetScopes() []string {
diff --git a/internal/api/oidc/server.go b/internal/api/oidc/server.go
index f461996ef2..b0a062b74d 100644
--- a/internal/api/oidc/server.go
+++ b/internal/api/oidc/server.go
@@ -173,23 +173,28 @@ func (s *Server) EndSession(ctx context.Context, r *op.Request[oidc.EndSessionRe
func (s *Server) createDiscoveryConfig(ctx context.Context, supportedUILocales oidc.Locales) *oidc.DiscoveryConfiguration {
issuer := op.IssuerFromContext(ctx)
return &oidc.DiscoveryConfiguration{
- Issuer: issuer,
- AuthorizationEndpoint: s.Endpoints().Authorization.Absolute(issuer),
- TokenEndpoint: s.Endpoints().Token.Absolute(issuer),
- IntrospectionEndpoint: s.Endpoints().Introspection.Absolute(issuer),
- UserinfoEndpoint: s.Endpoints().Userinfo.Absolute(issuer),
- RevocationEndpoint: s.Endpoints().Revocation.Absolute(issuer),
- EndSessionEndpoint: s.Endpoints().EndSession.Absolute(issuer),
- JwksURI: s.Endpoints().JwksURI.Absolute(issuer),
- DeviceAuthorizationEndpoint: s.Endpoints().DeviceAuthorization.Absolute(issuer),
- ScopesSupported: op.Scopes(s.Provider()),
- ResponseTypesSupported: op.ResponseTypes(s.Provider()),
- GrantTypesSupported: op.GrantTypes(s.Provider()),
- SubjectTypesSupported: op.SubjectTypes(s.Provider()),
- IDTokenSigningAlgValuesSupported: []string{s.signingKeyAlgorithm},
- RequestObjectSigningAlgValuesSupported: op.RequestObjectSigAlgorithms(s.Provider()),
- TokenEndpointAuthMethodsSupported: op.AuthMethodsTokenEndpoint(s.Provider()),
- TokenEndpointAuthSigningAlgValuesSupported: op.TokenSigAlgorithms(s.Provider()),
+ Issuer: issuer,
+ AuthorizationEndpoint: s.Endpoints().Authorization.Absolute(issuer),
+ TokenEndpoint: s.Endpoints().Token.Absolute(issuer),
+ IntrospectionEndpoint: s.Endpoints().Introspection.Absolute(issuer),
+ UserinfoEndpoint: s.Endpoints().Userinfo.Absolute(issuer),
+ RevocationEndpoint: s.Endpoints().Revocation.Absolute(issuer),
+ EndSessionEndpoint: s.Endpoints().EndSession.Absolute(issuer),
+ JwksURI: s.Endpoints().JwksURI.Absolute(issuer),
+ DeviceAuthorizationEndpoint: s.Endpoints().DeviceAuthorization.Absolute(issuer),
+ ScopesSupported: op.Scopes(s.Provider()),
+ ResponseTypesSupported: op.ResponseTypes(s.Provider()),
+ ResponseModesSupported: []string{
+ string(oidc.ResponseModeQuery),
+ string(oidc.ResponseModeFragment),
+ string(oidc.ResponseModeFormPost),
+ },
+ GrantTypesSupported: op.GrantTypes(s.Provider()),
+ SubjectTypesSupported: op.SubjectTypes(s.Provider()),
+ IDTokenSigningAlgValuesSupported: []string{s.signingKeyAlgorithm},
+ RequestObjectSigningAlgValuesSupported: op.RequestObjectSigAlgorithms(s.Provider()),
+ TokenEndpointAuthMethodsSupported: op.AuthMethodsTokenEndpoint(s.Provider()),
+ TokenEndpointAuthSigningAlgValuesSupported: op.TokenSigAlgorithms(s.Provider()),
IntrospectionEndpointAuthSigningAlgValuesSupported: op.IntrospectionSigAlgorithms(s.Provider()),
IntrospectionEndpointAuthMethodsSupported: op.AuthMethodsIntrospectionEndpoint(s.Provider()),
RevocationEndpointAuthSigningAlgValuesSupported: op.RevocationSigAlgorithms(s.Provider()),
diff --git a/internal/api/oidc/server_test.go b/internal/api/oidc/server_test.go
index c42c11d195..19404933ba 100644
--- a/internal/api/oidc/server_test.go
+++ b/internal/api/oidc/server_test.go
@@ -73,7 +73,7 @@ func TestServer_createDiscoveryConfig(t *testing.T) {
RegistrationEndpoint: "",
ScopesSupported: []string{oidc.ScopeOpenID, oidc.ScopeProfile, oidc.ScopeEmail, oidc.ScopePhone, oidc.ScopeAddress, oidc.ScopeOfflineAccess},
ResponseTypesSupported: []string{string(oidc.ResponseTypeCode), string(oidc.ResponseTypeIDTokenOnly), string(oidc.ResponseTypeIDToken)},
- ResponseModesSupported: nil,
+ ResponseModesSupported: []string{string(oidc.ResponseModeQuery), string(oidc.ResponseModeFragment), string(oidc.ResponseModeFormPost)},
GrantTypesSupported: []oidc.GrantType{oidc.GrantTypeCode, oidc.GrantTypeImplicit, oidc.GrantTypeRefreshToken, oidc.GrantTypeBearer},
ACRValuesSupported: nil,
SubjectTypesSupported: []string{"public"},
diff --git a/internal/command/auth_request.go b/internal/command/auth_request.go
index 2acf08bf4f..efd57da240 100644
--- a/internal/command/auth_request.go
+++ b/internal/command/auth_request.go
@@ -21,6 +21,7 @@ type AuthRequest struct {
Scope []string
Audience []string
ResponseType domain.OIDCResponseType
+ ResponseMode domain.OIDCResponseMode
CodeChallenge *domain.OIDCCodeChallenge
Prompt []domain.Prompt
UILocales []string
@@ -64,6 +65,7 @@ func (c *Commands) AddAuthRequest(ctx context.Context, authRequest *AuthRequest)
authRequest.Scope,
authRequest.Audience,
authRequest.ResponseType,
+ authRequest.ResponseMode,
authRequest.CodeChallenge,
authRequest.Prompt,
authRequest.UILocales,
@@ -162,6 +164,7 @@ func authRequestWriteModelToCurrentAuthRequest(writeModel *AuthRequestWriteModel
Scope: writeModel.Scope,
Audience: writeModel.Audience,
ResponseType: writeModel.ResponseType,
+ ResponseMode: writeModel.ResponseMode,
CodeChallenge: writeModel.CodeChallenge,
Prompt: writeModel.Prompt,
UILocales: writeModel.UILocales,
diff --git a/internal/command/auth_request_model.go b/internal/command/auth_request_model.go
index 6390eb7235..a6766d1979 100644
--- a/internal/command/auth_request_model.go
+++ b/internal/command/auth_request_model.go
@@ -23,6 +23,7 @@ type AuthRequestWriteModel struct {
Scope []string
Audience []string
ResponseType domain.OIDCResponseType
+ ResponseMode domain.OIDCResponseMode
CodeChallenge *domain.OIDCCodeChallenge
Prompt []domain.Prompt
UILocales []string
@@ -58,6 +59,7 @@ func (m *AuthRequestWriteModel) Reduce() error {
m.Scope = e.Scope
m.Audience = e.Audience
m.ResponseType = e.ResponseType
+ m.ResponseMode = e.ResponseMode
m.CodeChallenge = e.CodeChallenge
m.Prompt = e.Prompt
m.UILocales = e.UILocales
diff --git a/internal/command/auth_request_test.go b/internal/command/auth_request_test.go
index 92b90e3e24..a3e1db3a28 100644
--- a/internal/command/auth_request_test.go
+++ b/internal/command/auth_request_test.go
@@ -54,6 +54,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -89,6 +90,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -115,6 +117,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
+ ResponseMode: domain.OIDCResponseModeQuery,
CodeChallenge: &domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -137,6 +140,7 @@ func TestCommands_AddAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
+ ResponseMode: domain.OIDCResponseModeQuery,
CodeChallenge: &domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -220,6 +224,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -261,6 +266,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -300,6 +306,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -338,6 +345,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -399,6 +407,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -449,6 +458,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -513,6 +523,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
+ ResponseMode: domain.OIDCResponseModeQuery,
},
SessionID: "sessionID",
UserID: "userID",
@@ -535,6 +546,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -600,6 +612,7 @@ func TestCommands_LinkSessionToAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
+ ResponseMode: domain.OIDCResponseModeQuery,
},
SessionID: "sessionID",
UserID: "userID",
@@ -678,6 +691,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
nil,
nil,
nil,
@@ -712,6 +726,7 @@ func TestCommands_FailAuthRequest(t *testing.T) {
Scope: []string{"openid"},
Audience: []string{"audience"},
ResponseType: domain.OIDCResponseTypeCode,
+ ResponseMode: domain.OIDCResponseModeQuery,
},
},
},
@@ -773,6 +788,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -810,6 +826,7 @@ func TestCommands_AddAuthRequestCode(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
diff --git a/internal/command/oidc_session_test.go b/internal/command/oidc_session_test.go
index bbaff1df6b..483528b95c 100644
--- a/internal/command/oidc_session_test.go
+++ b/internal/command/oidc_session_test.go
@@ -124,6 +124,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
[]string{"openid", "offline_access"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -167,6 +168,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
[]string{"openid", "offline_access"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -218,6 +220,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
[]string{"openid", "offline_access"},
[]string{"audience"},
domain.OIDCResponseTypeCode,
+ domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
@@ -336,6 +339,7 @@ func TestCommands_CreateOIDCSessionFromAuthRequest(t *testing.T) {
[]string{"openid"},
[]string{"audience"},
domain.OIDCResponseTypeIDToken,
+ domain.OIDCResponseModeQuery,
&domain.OIDCCodeChallenge{
Challenge: "challenge",
Method: domain.CodeChallengeMethodS256,
diff --git a/internal/domain/application_oidc.go b/internal/domain/application_oidc.go
index 9fe526d684..5fe7b1f698 100644
--- a/internal/domain/application_oidc.go
+++ b/internal/domain/application_oidc.go
@@ -83,6 +83,16 @@ const (
OIDCResponseTypeIDTokenToken
)
+//go:generate enumer -type OIDCResponseMode -transform snake -trimprefix OIDCResponseMode
+type OIDCResponseMode int
+
+const (
+ OIDCResponseModeUnspecified OIDCResponseMode = iota
+ OIDCResponseModeQuery
+ OIDCResponseModeFragment
+ OIDCResponseModeFormPost
+)
+
type OIDCGrantType int32
const (
diff --git a/internal/domain/oidcresponsemode_enumer.go b/internal/domain/oidcresponsemode_enumer.go
new file mode 100644
index 0000000000..c1faab6ce5
--- /dev/null
+++ b/internal/domain/oidcresponsemode_enumer.go
@@ -0,0 +1,86 @@
+// Code generated by "enumer -type OIDCResponseMode -transform snake -trimprefix OIDCResponseMode"; DO NOT EDIT.
+
+package domain
+
+import (
+ "fmt"
+ "strings"
+)
+
+const _OIDCResponseModeName = "unspecifiedqueryfragmentform_post"
+
+var _OIDCResponseModeIndex = [...]uint8{0, 11, 16, 24, 33}
+
+const _OIDCResponseModeLowerName = "unspecifiedqueryfragmentform_post"
+
+func (i OIDCResponseMode) String() string {
+ if i < 0 || i >= OIDCResponseMode(len(_OIDCResponseModeIndex)-1) {
+ return fmt.Sprintf("OIDCResponseMode(%d)", i)
+ }
+ return _OIDCResponseModeName[_OIDCResponseModeIndex[i]:_OIDCResponseModeIndex[i+1]]
+}
+
+// An "invalid array index" compiler error signifies that the constant values have changed.
+// Re-run the stringer command to generate them again.
+func _OIDCResponseModeNoOp() {
+ var x [1]struct{}
+ _ = x[OIDCResponseModeUnspecified-(0)]
+ _ = x[OIDCResponseModeQuery-(1)]
+ _ = x[OIDCResponseModeFragment-(2)]
+ _ = x[OIDCResponseModeFormPost-(3)]
+}
+
+var _OIDCResponseModeValues = []OIDCResponseMode{OIDCResponseModeUnspecified, OIDCResponseModeQuery, OIDCResponseModeFragment, OIDCResponseModeFormPost}
+
+var _OIDCResponseModeNameToValueMap = map[string]OIDCResponseMode{
+ _OIDCResponseModeName[0:11]: OIDCResponseModeUnspecified,
+ _OIDCResponseModeLowerName[0:11]: OIDCResponseModeUnspecified,
+ _OIDCResponseModeName[11:16]: OIDCResponseModeQuery,
+ _OIDCResponseModeLowerName[11:16]: OIDCResponseModeQuery,
+ _OIDCResponseModeName[16:24]: OIDCResponseModeFragment,
+ _OIDCResponseModeLowerName[16:24]: OIDCResponseModeFragment,
+ _OIDCResponseModeName[24:33]: OIDCResponseModeFormPost,
+ _OIDCResponseModeLowerName[24:33]: OIDCResponseModeFormPost,
+}
+
+var _OIDCResponseModeNames = []string{
+ _OIDCResponseModeName[0:11],
+ _OIDCResponseModeName[11:16],
+ _OIDCResponseModeName[16:24],
+ _OIDCResponseModeName[24:33],
+}
+
+// OIDCResponseModeString retrieves an enum value from the enum constants string name.
+// Throws an error if the param is not part of the enum.
+func OIDCResponseModeString(s string) (OIDCResponseMode, error) {
+ if val, ok := _OIDCResponseModeNameToValueMap[s]; ok {
+ return val, nil
+ }
+
+ if val, ok := _OIDCResponseModeNameToValueMap[strings.ToLower(s)]; ok {
+ return val, nil
+ }
+ return 0, fmt.Errorf("%s does not belong to OIDCResponseMode values", s)
+}
+
+// OIDCResponseModeValues returns all values of the enum
+func OIDCResponseModeValues() []OIDCResponseMode {
+ return _OIDCResponseModeValues
+}
+
+// OIDCResponseModeStrings returns a slice of all String values of the enum
+func OIDCResponseModeStrings() []string {
+ strs := make([]string, len(_OIDCResponseModeNames))
+ copy(strs, _OIDCResponseModeNames)
+ return strs
+}
+
+// IsAOIDCResponseMode returns "true" if the value is listed in the enum definition. "false" otherwise
+func (i OIDCResponseMode) IsAOIDCResponseMode() bool {
+ for _, v := range _OIDCResponseModeValues {
+ if i == v {
+ return true
+ }
+ }
+ return false
+}
diff --git a/internal/domain/request.go b/internal/domain/request.go
index 5cf4846999..7c2c57436a 100644
--- a/internal/domain/request.go
+++ b/internal/domain/request.go
@@ -29,6 +29,7 @@ const (
type AuthRequestOIDC struct {
Scopes []string
ResponseType OIDCResponseType
+ ResponseMode OIDCResponseMode
Nonce string
CodeChallenge *OIDCCodeChallenge
}
diff --git a/internal/repository/authrequest/auth_request.go b/internal/repository/authrequest/auth_request.go
index 0492c541f8..99f034333b 100644
--- a/internal/repository/authrequest/auth_request.go
+++ b/internal/repository/authrequest/auth_request.go
@@ -30,6 +30,7 @@ type AddedEvent struct {
Scope []string `json:"scope,omitempty"`
Audience []string `json:"audience,omitempty"`
ResponseType domain.OIDCResponseType `json:"response_type,omitempty"`
+ ResponseMode domain.OIDCResponseMode `json:"response_mode,omitempty"`
CodeChallenge *domain.OIDCCodeChallenge `json:"code_challenge,omitempty"`
Prompt []domain.Prompt `json:"prompt,omitempty"`
UILocales []string `json:"ui_locales,omitempty"`
@@ -57,6 +58,7 @@ func NewAddedEvent(ctx context.Context,
scope,
audience []string,
responseType domain.OIDCResponseType,
+ responseMode domain.OIDCResponseMode,
codeChallenge *domain.OIDCCodeChallenge,
prompt []domain.Prompt,
uiLocales []string,
@@ -79,6 +81,7 @@ func NewAddedEvent(ctx context.Context,
Scope: scope,
Audience: audience,
ResponseType: responseType,
+ ResponseMode: responseMode,
CodeChallenge: codeChallenge,
Prompt: prompt,
UILocales: uiLocales,