Uploaded image for project: 'CXF'
  1. CXF
  2. CXF-8414

OAuth 2.0: authorize response_type order matters

Attach filesAttach ScreenshotVotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Information Provided
    • Affects Version/s: 3.4.2
    • Fix Version/s: None
    • Component/s: JAX-RS Security
    • Labels:
    • Estimated Complexity:
      Unknown

      Description

      Per the OAuth2 Specification:

      If a response type contains one or more space characters (%x20), it
      is compared as a space-delimited list of values in which the order of
      values does not matter. Only one order of values can be registered,
      which covers all other arrangements of the same set of values.

      For example, the response type "token code" is left undefined by this
      specification. However, an extension can define and register the
      "token code" response type. Once registered, the same combination
      cannot be registered as "code token", but both values can be used to
      denote the same response type.

      OidcImplicitService and OidcHybridService both support multiple response types, but require specific ordering. For example id_token token will work, but token id_token returns unsupported_response_type

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              willcro Will Croteau

              Dates

              • Created:
                Updated:
                Resolved:

                Issue deployment