Hello,
I am a software architect specializing in authentication and authorization. I have been reflecting on the use of the Form Post Response Mode and noticed that it receives little attention in current OAuth and OIDC security guidelines.
I am curious why Form Post Response Mode has not been explicitly recommended as a best practice in any of the OAuth or OIDC security publications.
From my perspective, it can provide benefits in certain cases, such as:
1. Protecting confidential clients from certain types of authorization code injection attacks. Based on my recent research, Form Post Response Mode appears to be the only protection mechanism that can fully mitigate the described attack scenario, since it prevents the authorization response from being accessible to the origin of the application.
2. Improving the OIDC Implicit Flow for the similar reasons - it reduces the exposure of the authorization response to the frontend application context. In some scenarios, the OIDC Implicit Flow combined with Form Post Response Mode could be preferable to the Authorization code flow with PKCE, for example, for public clients that have a backend capable of receiving a POST request with authorization response from user's browser. This approach is useful when there is no direct network connectivity between the application backend and the authorization response, and thus a front-channel interaction is required.
On the other hand, i cannot identify any significant drawbacks to using this response mode, aside from inconsistent support across implementations. Therefore, i currently see no reason why the query response mode should be considered more secure. Nevertheless, current security best practice documents do not mention the possibility of increasing client security through the Form Post Response Mode, depending of course on the specific therat model.
I would greatly appreciate any insights from the working group regarding the reasons this response mode is not highlighted in current guidance, and whether there are security considerations that i might be overlooking.
Thank you for your time and attention.
--
Best regards,
Andrey Kuznetsov
Software Architect
Identity & Access Management
Yandex Cloud
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
