Make Response Mode Optional (Oracle IDCS)

[dzirg44]

In Oracle IDCS (Identity Cloud Services) both options
(according to https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html)

• Response Mode for the OAuth 2.0 code Response Type is the query encoding
• Response Mode for the OAuth 2.0 token Response Type is the fragment encoding

are invalid.
If I use
query => code
I have

Oops... Client 111111 provided an invalid response mode: query.

in case
fragment => token

Unhandled Rejection (Error): Only the Authorization Code flow (with PKCE) is supported

Only when I remove the default value

https://github.com/authts/oidc-client-ts/blob/main/src/OidcClient.ts#L102

I can make it work.

In my opinion , if it is not a mistake caused by Oracle developers there are 2 ways to fix.
1 - simply delete the default value
2 - add 'none' option to response_mode

the fix I found out exploring
https://auth0.com/docs/authenticate/login/oidc-conformant-authentication/oidc-adoption-auth-code-flow#code-exchange-request-authorization-code-flow-with-pkce

[pamapa]

I agree, when reading the spec (https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest):

• "response_mode
  OPTIONAL. Informs the Authorization Server of the mechanism to be used for returning parameters from the Authorization Endpoint. This use of this parameter is NOT RECOMMENDED when the Response Mode that would be requested is the default mode specified for the Response Type. "

Means when response_type is code, which is always the case in this library anyway, we should not set response_mode by default.

I will need to test this first on other real IDPs first...

[pamapa]

Tested: Works on my IDP: response_type=code without response_mode

Tried:

index c10152ed..f89f04f5 100644
--- a/oidc-client-ts/OidcClientSettings.ts
+++ b/oidc-client-ts/OidcClientSettings.ts
@@ -162,7 +162,7 @@ export class OidcClientSettingsStore {
     public readonly ui_locales: string | undefined;
     public readonly acr_values: string | undefined;
     public readonly resource: string | string[] | undefined;
-    public readonly response_mode: "query" | "fragment";
+    public readonly response_mode: "query" | "fragment" | undefined;
 
     // behavior flags
     public readonly filterProtocolClaims: boolean | string[];
@@ -191,7 +191,7 @@ export class OidcClientSettingsStore {
         redirect_uri, post_logout_redirect_uri,
         client_authentication = DefaultClientAuthentication,
         // optional protocol
-        prompt, display, max_age, ui_locales, acr_values, resource, response_mode = DefaultResponseMode,
+        prompt, display, max_age, ui_locales, acr_values, resource, response_mode,// = DefaultResponseMode,
         // behavior flags
         filterProtocolClaims = true,
         loadUserInfo = false,

[pamapa]

Should we fixed that in a major or minor version? I tend to do it in a minor, as it fixes a bug and the chance that existing IDPs still work seems high. Will add a release notice for that...

[dzirg44]

@pamapa the chance that it can break something is low, i agree, but if you don't specify it in your config it means that the response_mode will be query , and after the upgrade it will be absent and it can lead to changing the behavior for the app. I would like to see it in a minor version update, but if you don't want to struggle with issues like "after the upgrade the auth is broken" - major is more suitable. And thank you for your work.

[pamapa]

@dzirg44 You are right lets do this on the planned 3.0.0, which comes later this year.