Layer7 API Management

Expand all | Collapse all

Hybrid Flow request and response example

  • 1.  Hybrid Flow request and response example

    Posted 03-13-2020 04:56 PM
    Hello there,
    We have a client who wants to use Hybrid Flow for OIDC implementation and for that i need to make sure what would be the request and response that OAuth server will receive and send as response..

    For Example:

    Auth Request:

    https://myOIDC.domain.com/auth/oauth/v2/authorize?
    client_id=65c6e887-bfda-4239-8449-1d1f1cf2e1kr&response_type=code%20id_token&redirect_uri=https://clientApp_callbackURL&scope=openid%20offline_access%20profile%20email&response_mode=form_post&nonce=637193795768817490.MmVlZmZhZjAtYjg2MC00MjkyLWJkNWUtYzM5N2FiMWU0YmMzNDlkZTExY2UtZDRjMC00ZDM2LTk5ZGYtMzY1ZmUzNGJiOTZm&state=%2f1234

    what will be the response from OAuth server for this above request?
    As per Doc, for CODE flow, client should receive this..
    Header: 302
    Header: Location: the-redirect-uri?code=an-authorization-code&state=thegiven-state

    For response_type=token id_token, the response from OAuth will be ...

    Header: 302
    Header: Location: the-redirect-uri?state=the-givenstate#access_token=an-access_token&expires_in=lifetimein-
    seconds&token_type=Bearer&scope=grantedscope&id_token=an-id-token-represented-asjwt&
    id_token_type=urn%3Aietf%3Aparams%3Aoauth%3Agranttype%3Ajwt-bearer


    However, for response_type=CODE ID_TOKEN and response_mode=form_post... what will be the response from OAuth server?

    thanks




  • 2.  RE: Hybrid Flow request and response example

    Posted 03-13-2020 05:23 PM
    I get a response from OAuth server as below with '#' which is causing our apps consent page, we expect to have ' ?' before code=

    https://clientApp_callbackURL#code=e8867037-1b1c-44d8-9387-4e99335c25e0&id_token=iLCJhbGciOiJSUzI1NiIsImtpZCI6Imp3dF9zaWduIn0.ewogInN1YUpPWGtPRGtfTDFfN3lUd1M0IiwKICJhdWQiOiAiNDVjNmU4MTMtYmZkYS00Mjg2LTg0NDktMWQxZjFjZjJlZjhhIiwKICJjX2hhc2giYWNyIjogIjAiLAogImF6cCI6ICI0NWM2ZTgxMy1iZmRhLTQyODYtODQ0OS0xZEiLAogImF1dGh6IDE1ODEwMjg4mh0dHBzOi8vbXlhZHBpZC1pYXQuYWRwLmNvbSIsCiAixNTI4MywKICJpYXQiOiAxNTgxbmNlIjogIjYzNzE2NTk5NzMabUZpTmkwMFpURXE1TmpVMk5USmlPRE5tTkRjeE1HVXRNemxoTlMwME9ESTVMVGd5TVRRdFlUWmtNbUUwWTJGa01XUTRHRiIKfQ.KAiIwq5qg9Eaq3lWXxXMrvpsfedRxtene7ci3HyCQ4ZqtIuYkWWH8WtKqgPdDsY8nokkJtGUeIVgKnjG7g5H4u2BOQ7zlSK0SQIASWK8Y-PQsCGd6vHwP_xD7wm3xa4VtEOYRAAjlStFI8yAGzhaDQB1rwa329eNkS93hyzy-3IBsKAe53DQwUGdANFv2GIjMwan1eFtOBzt4RvJF98a6XEZ2bhHlXHG2tsfWQ&id_token_type=urn%3Aietf%3Aparams%3Aoauth%3Agrant-type%3Ajwt-bearer&state=wONk3jMCbxvuBInckddk%2FomW&scope=openid+email+profile

    Is it possible to change '#' to '?' in the response for Hybrid Flow.. it works fine for Code flow with '?' as below..

    Response headers: {Content-Security-Policy=[default-src 'self'; script-src *.googleapis.com 'unsafe-inline'; img-src * data:; style-src 'unsafe-inline'; font-src * data:;], X-Content-Type-Options=[nosniff], X-XSS-Protection=[1], Location=[https://clientApp_callbackURL?code=35f0937e-926d-4814-954d-f364c028f399&state=iSOPDeBhkLfWRboz%2FYMPxgEO], Content-Type=[text/html;charset=UTF-8], Date=[Wed, 11 Mar 2020 15:52:18 GMT], Server=[CA-API-Gateway/9.0]}