Symantec Access Management

Tech Tip : CA Single Sign-On : Oauth2 Implicit flow - token code missing 

  • 1.  Tech Tip : CA Single Sign-On : Oauth2 Implicit flow - token code missing 

    Posted 06-14-2018 05:33 AM

    Question:

     

    We are using the last version of SiteMinder 12.8 with the new implicit Oauth2 flow.

    It seems SiteMinder does not implement correctly the Implicit flow. As you may see, the response_type=token generate an error:

    "response type is missing or invalid".

    Trying with other code the results are:
    response_type=code --> OK
    response_type=token --> ERROR
    response_type=id_token --> OK
    response_type=id_token%20token --> OK

    So we are guessing that the OpenID connect Implicit works well, but the Standard OAuth2 implicit does not work.

    May you help us?

     

    Answer:

     

    At first glance, it looks like the Implicit Grant Flow is implemented
    only in the OpenID Connect Provider wich is a new feature from 12.8.

    OIDC Implicit Flow

    Besides Authorization Code Flow, CA Single Sign-On can now
    authenticate users using OIDC Implicit Flow for supporting clients
    that are browser-based, use a scripting language, and are Single-Page
    Applications (SPA). Authorization Endpoint issues Access Token and ID
    Token to a Client directly. CA Single Sign-On Implicit Flow is
    certified with OpenID Conformance Implicit Profile.

    New Features
    https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/new-features

    For more information, see Authentication Using Implicit Flow

    Authentication Using Implicit Flow
    https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/use-ca-single-sign-on-as-openid-connect-provider/authentication-using-implicit-flow

    CA Single Sign-On as OpenID Connect Provider
    https://docops.ca.com/ca-single-sign-on/12-8/en/release-notes/new-features

    You'll notice as well that the Implicit Grant Flow isn't recommended to use.

    OAuth 2.0 Implicit Grant
    https://oauth.net/2/grant-types/implicit/

    What is the OAuth 2.0 Implicit Grant Type?
    https://developer.okta.com/blog/2018/05/24/what-is-the-oauth2-implicit-grant-type

    You should note also that CA API Gateway has this feature implemented for OAuth 2.0 :

    OAuth 2.0 Tutorial 3: The Implicit Grant Type
    https://communities.ca.com/videos/1363

    In order to get this Flow type implemented outside OIDC (OpenID Connect), we invite you
    to open an Idea on the Security page :

    1. Go to the CA Security Overview Page :
    https://communities.ca.com/community/ca-security/ca-single-sign-on
    2. Click on the "Actions" drop-down menu and select "Create an
    idea."
    3. Give your idea a title and detailed description to encourage
    voting.
    4. Publish and vote on your idea!

     

    KB : KB000100776