fix(oidc): store requested response_mode (#8145)

# Which Problems Are Solved Zitadel never stored or returned the requested `response_mode` in oidc Auth Requests. This caused the oidc library to fallback to the default based on the response_type. # How the Problems Are Solved - Store the `response_mode` in the Auth request repo - Store the `response_mode` in the Auth request v2 events - Return the `resonse_mode` from the Auth Request v1 and v2 `ResponseMode()` methods. (Was hard-coded to an empty string) # Additional Changes - Populate the `response_modes_supported` to the oidc Discovery Configuration. When it was empty, the standard specifies the default of `query` and `fragment`. However, our oidc library also supports `form_post` and by this fix, zitadel now also supports this. # Additional Context - Closes #6586 - Reported https://discord.com/channels/927474939156643850/1151508313717084220 --------- Co-authored-by: Livio Spring <livio.a@gmail.com>
2025-08-12 03:47:33 +00:00 · 2024-06-17 12:50:12 +03:00
parent 85d7536d44
commit 1aa8c49e41
15 changed files with 287 additions and 20 deletions
--- a/internal/api/oidc/server.go
+++ b/internal/api/oidc/server.go
@@ -173,23 +173,28 @@ func (s *Server) EndSession(ctx context.Context, r *op.Request[oidc.EndSessionRe
 func (s *Server) createDiscoveryConfig(ctx context.Context, supportedUILocales oidc.Locales) *oidc.DiscoveryConfiguration {
 	issuer := op.IssuerFromContext(ctx)
 	return &oidc.DiscoveryConfiguration{
-		Issuer:                                     issuer,
-		AuthorizationEndpoint:                      s.Endpoints().Authorization.Absolute(issuer),
-		TokenEndpoint:                              s.Endpoints().Token.Absolute(issuer),
-		IntrospectionEndpoint:                      s.Endpoints().Introspection.Absolute(issuer),
-		UserinfoEndpoint:                           s.Endpoints().Userinfo.Absolute(issuer),
-		RevocationEndpoint:                         s.Endpoints().Revocation.Absolute(issuer),
-		EndSessionEndpoint:                         s.Endpoints().EndSession.Absolute(issuer),
-		JwksURI:                                    s.Endpoints().JwksURI.Absolute(issuer),
-		DeviceAuthorizationEndpoint:                s.Endpoints().DeviceAuthorization.Absolute(issuer),
-		ScopesSupported:                            op.Scopes(s.Provider()),
-		ResponseTypesSupported:                     op.ResponseTypes(s.Provider()),
-		GrantTypesSupported:                        op.GrantTypes(s.Provider()),
-		SubjectTypesSupported:                      op.SubjectTypes(s.Provider()),
-		IDTokenSigningAlgValuesSupported:           []string{s.signingKeyAlgorithm},
-		RequestObjectSigningAlgValuesSupported:     op.RequestObjectSigAlgorithms(s.Provider()),
-		TokenEndpointAuthMethodsSupported:          op.AuthMethodsTokenEndpoint(s.Provider()),
-		TokenEndpointAuthSigningAlgValuesSupported: op.TokenSigAlgorithms(s.Provider()),
+		Issuer:                      issuer,
+		AuthorizationEndpoint:       s.Endpoints().Authorization.Absolute(issuer),
+		TokenEndpoint:               s.Endpoints().Token.Absolute(issuer),
+		IntrospectionEndpoint:       s.Endpoints().Introspection.Absolute(issuer),
+		UserinfoEndpoint:            s.Endpoints().Userinfo.Absolute(issuer),
+		RevocationEndpoint:          s.Endpoints().Revocation.Absolute(issuer),
+		EndSessionEndpoint:          s.Endpoints().EndSession.Absolute(issuer),
+		JwksURI:                     s.Endpoints().JwksURI.Absolute(issuer),
+		DeviceAuthorizationEndpoint: s.Endpoints().DeviceAuthorization.Absolute(issuer),
+		ScopesSupported:             op.Scopes(s.Provider()),
+		ResponseTypesSupported:      op.ResponseTypes(s.Provider()),
+		ResponseModesSupported: []string{
+			string(oidc.ResponseModeQuery),
+			string(oidc.ResponseModeFragment),
+			string(oidc.ResponseModeFormPost),
+		},
+		GrantTypesSupported:                                op.GrantTypes(s.Provider()),
+		SubjectTypesSupported:                              op.SubjectTypes(s.Provider()),
+		IDTokenSigningAlgValuesSupported:                   []string{s.signingKeyAlgorithm},
+		RequestObjectSigningAlgValuesSupported:             op.RequestObjectSigAlgorithms(s.Provider()),
+		TokenEndpointAuthMethodsSupported:                  op.AuthMethodsTokenEndpoint(s.Provider()),
+		TokenEndpointAuthSigningAlgValuesSupported:         op.TokenSigAlgorithms(s.Provider()),
 		IntrospectionEndpointAuthSigningAlgValuesSupported: op.IntrospectionSigAlgorithms(s.Provider()),
 		IntrospectionEndpointAuthMethodsSupported:          op.AuthMethodsIntrospectionEndpoint(s.Provider()),
 		RevocationEndpointAuthSigningAlgValuesSupported:    op.RevocationSigAlgorithms(s.Provider()),