fix(oidc): store requested response_mode (#8145)

# Which Problems Are Solved Zitadel never stored or returned the requested `response_mode` in oidc Auth Requests. This caused the oidc library to fallback to the default based on the response_type. # How the Problems Are Solved - Store the `response_mode` in the Auth request repo - Store the `response_mode` in the Auth request v2 events - Return the `resonse_mode` from the Auth Request v1 and v2 `ResponseMode()` methods. (Was hard-coded to an empty string) # Additional Changes - Populate the `response_modes_supported` to the oidc Discovery Configuration. When it was empty, the standard specifies the default of `query` and `fragment`. However, our oidc library also supports `form_post` and by this fix, zitadel now also supports this. # Additional Context - Closes #6586 - Reported https://discord.com/channels/927474939156643850/1151508313717084220 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 00:27:31 +00:00 · 2024-06-17 12:50:12 +03:00
parent 85d7536d44
commit 1aa8c49e41
15 changed files with 287 additions and 20 deletions
--- a/internal/api/oidc/auth_request_converter.go
+++ b/internal/api/oidc/auth_request_converter.go
@@ -6,6 +6,7 @@ import (
 	"strings"
 	"time"

+	"github.com/zitadel/logging"
 	"github.com/zitadel/oidc/v3/pkg/oidc"
 	"github.com/zitadel/oidc/v3/pkg/op"
 	"golang.org/x/text/language"
@@ -75,7 +76,7 @@ func (a *AuthRequest) GetResponseType() oidc.ResponseType {
 }

 func (a *AuthRequest) GetResponseMode() oidc.ResponseMode {
-	return ""
+	return ResponseModeToOIDC(a.oidc().ResponseMode)
 }

 func (a *AuthRequest) GetScopes() []string {
@@ -121,6 +122,7 @@ func CreateAuthRequestToBusiness(ctx context.Context, authReq *oidc.AuthRequest,
 		Request: &domain.AuthRequestOIDC{
 			Scopes:        authReq.Scopes,
 			ResponseType:  ResponseTypeToBusiness(authReq.ResponseType),
+			ResponseMode:  ResponseModeToBusiness(authReq.ResponseMode),
 			Nonce:         authReq.Nonce,
 			CodeChallenge: CodeChallengeToBusiness(authReq.CodeChallenge, authReq.CodeChallengeMethod),
 		},
@@ -232,6 +234,27 @@ func ResponseTypeToOIDC(responseType domain.OIDCResponseType) oidc.ResponseType
 	}
 }

+// ResponseModeToBusiness returns the OIDCResponseMode enum value from the domain package.
+// An empty or invalid value defaults to unspecified.
+func ResponseModeToBusiness(responseMode oidc.ResponseMode) domain.OIDCResponseMode {
+	if responseMode == "" {
+		return domain.OIDCResponseModeUnspecified
+	}
+	out, err := domain.OIDCResponseModeString(string(responseMode))
+	logging.OnError(err).Debugln("invalid oidc response_mode, using default")
+	return out
+}
+
+// ResponseModeToOIDC return the oidc string representation of the enum value from the domain package.
+// When responseMode is `0 - unspecified`, an empty string is returned.
+// This allows the oidc package to pick the appropriate response mode based on the response type.
+func ResponseModeToOIDC(responseMode domain.OIDCResponseMode) oidc.ResponseMode {
+	if responseMode == domain.OIDCResponseModeUnspecified || !responseMode.IsAOIDCResponseMode() {
+		return ""
+	}
+	return oidc.ResponseMode(responseMode.String())
+}
+
 func CodeChallengeToBusiness(challenge string, method oidc.CodeChallengeMethod) *domain.OIDCCodeChallenge {
 	if challenge == "" {
 		return nil