Skip to content
This repository has been archived by the owner on Sep 18, 2021. It is now read-only.

Authorization Endpoint does not support POST #3168

Closed
mniak opened this issue Aug 25, 2016 · 12 comments
Closed

Authorization Endpoint does not support POST #3168

mniak opened this issue Aug 25, 2016 · 12 comments
Assignees
Milestone

Comments

@mniak
Copy link

mniak commented Aug 25, 2016

Question / Issue

According to the OpenID Connect Core 1.0 specification the method POST should be supported.

Authorization Servers MUST support the use of the HTTP GET and POST methods defined in RFC 2616 [RFC2616] at the Authorization Endpoint.

I've made some tests and realized that it's not the case. The Identity Server 3 returns me an HTTP 405 Method Not Allowed with the following contents:

{"Message":"The requested resource does not support http method 'POST'."}
@leastprivilege
Copy link
Member

Is that blocking you?

@mniak
Copy link
Author

mniak commented Aug 25, 2016

No...
But it would be great if this implementation were 100% compliant to the specification, so I decided to report it.

@leastprivilege
Copy link
Member

Thanks.

I totally forgot that POST is a MUST. It was not required for our compliance certification though.

@brockallen
Copy link
Member

Turns out our routing infrastructure would require some changes that we'd rather not do. IdentityServer4 is fully compliant, BTW. So given that this is not blocking you, we'll close.

@opnarius
Copy link

opnarius commented Mar 2, 2017

@brockallen what are breaking changes you mention?

I'm trying to get wso2 store to use IndentityServer3 as the sts for login, and they issue a POST to authorize endpoint instead of GET.

@brockallen
Copy link
Member

I don't recall, honestly. I know that how we do our routing and how that maps to our controllers was affected. I spent 1-2 hours trying to make it work with minimal interruption, but wasn't terribly successful.

@opnarius
Copy link

opnarius commented Mar 2, 2017

Just saw this PR #3234 . Any plans on merging it in?

@brockallen
Copy link
Member

I don't recall if that was incomplete or not, but I see a 3.0 label -- perhaps that's the one with the breaking changes.

@tboyce
Copy link

tboyce commented May 2, 2017

Was this ever fixed?

@MaximilianoRios
Copy link

I've not seen anything related to that issue recently. I guess it's not fixed (yet)

@robinvanleemput
Copy link

Just in case an additional comment could tilt the balance in favor of the PR #3234
We're currently working on an integration with F5 BigIP as a reverse proxy which only supports HTTP POST as a redirection to external login page. Migration to identityserver4 is not possible as a short term solution for multiple reasons.

@slaneyrw
Copy link

slaneyrw commented Oct 13, 2017

According to 2.6 release notes, this enhancement was delivered in that release. But the pull request appears to be still outstanding. Does IdSrvr3 2.6.x support POST for the authorize endpoint, or do I need to upgrade to IdSrvr4?

https://github.com/IdentityServer/IdentityServer3/releases/tag/2.6.0

We are currently using 2.5.3 and starting to get close to URL limits for the authorize endpoint. Some of our clients pass a lot of information in either AuthenticationProperties and/or acr values

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

8 participants