ref: Parametrize OIDC authorization response mode

Planka used a default response_mode 'fragment', which is not supported by all OIDC providers. Planka supports only the Authorization Code flow. The default response mode for the authorization code flow is 'query', meaning the authorization server appends the authorization code to the redirect URI as a query parameter. I have added two environment variables: one to use the default response mode from the OIDC provider, and one to customize the response mode if needed. Using the default response mode is recommended by the OIDC specification: "This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type." To avoid any breaking changes, I kept the default value as 'fragment'. Ideally, the environment variable should be undefined by default.
1 year ago · a6c8f1bc23
parent 8d74cc1732
commit a6c8f1bc23
2 changed files with 11 additions and 4 deletions
--- a/server/api/controllers/show-config.js
+++ b/server/api/controllers/show-config.js
@ -4,11 +4,16 @@ module.exports = {
    if (sails.hooks.oidc.isActive()) {
      const oidcClient = sails.hooks.oidc.getClient();

+      const authorizationParameters = {
+        scope: sails.config.custom.oidcScopes,
+      }
+
+      if(!sails.config.custom.oidcDefaultResponseMode) {
+        authorizationParameters.response_mode = sails.config.custom.oidcResponseMode
+      }
+
      oidc = {
-        authorizationUrl: oidcClient.authorizationUrl({
-          scope: sails.config.custom.oidcScopes,
-          response_mode: 'fragment',
-        }),
+        authorizationUrl: oidcClient.authorizationUrl(authorizationParameters),
        endSessionUrl: oidcClient.issuer.end_session_endpoint ? oidcClient.endSessionUrl({}) : null,
        isEnforced: sails.config.custom.oidcEnforced,
      };
--- a/server/config/custom.js
+++ b/server/config/custom.js
@ -40,6 +40,8 @@ module.exports.custom = {
  oidcClientId: process.env.OIDC_CLIENT_ID,
  oidcClientSecret: process.env.OIDC_CLIENT_SECRET,
  oidcScopes: process.env.OIDC_SCOPES || 'openid email profile',
+  oidcResponseMode: process.env.OIDC_RESPONSE_MODE || 'fragment',
+  oidcDefaultResponseMode: process.env.OIDC_DEFAULT_RESPONSE_MODE === 'true',
  oidcAdminRoles: process.env.OIDC_ADMIN_ROLES ? process.env.OIDC_ADMIN_ROLES.split(',') : [],
  oidcEmailAttribute: process.env.OIDC_EMAIL_ATTRIBUTE || 'email',
  oidcNameAttribute: process.env.OIDC_NAME_ATTRIBUTE || 'name',