implement response_mode (#469)

eopeter · Emmanuel Oche · rayluo · web-flow · commit 43974778fa70 · 2022-05-12T13:53:43.000-07:00
* implement response_mode

oidc supports passing the response_mode to allow redirects to send callback parameters as POST for increased security.

* Fix error check logic and modify test_ccs to include response_mode

* Add more comments

* Apply suggestions from code review

Co-authored-by: Ray Luo &lt;rayluo.mba@gmail.com&gt;

* PR review comments addressed

* remove extraneous line

Co-authored-by: Emmanuel Oche &lt;eoche@linkedin.com&gt;
Co-authored-by: Ray Luo &lt;rayluo.mba@gmail.com&gt;
diff --git a/msal/application.py b/msal/application.py
@@ -636,6 +636,7 @@ def initiate_auth_code_flow(
             domain_hint=None,  # type: Optional[str]
             claims_challenge=None,
             max_age=None,
+            response_mode=None,  # type: Optional[str]
             ):
         """Initiate an auth code flow.
 
@@ -677,6 +678,20 @@ def initiate_auth_code_flow(
 
             New in version 1.15.
 
+        :param str response_mode:
+            OPTIONAL. Specifies the method with which response parameters should be returned.
+            The default value is equivalent to ``query``, which is still secure enough in MSAL Python
+            (because MSAL Python does not transfer tokens via query parameter in the first place).
+            For even better security, we recommend using the value ``form_post``.
+            In "form_post" mode, response parameters
+            will be encoded as HTML form values that are transmitted via the HTTP POST method and
+            encoded in the body using the application/x-www-form-urlencoded format.
+            Valid values can be either "form_post" for HTTP POST to callback URI or
+            "query" (the default) for HTTP GET with parameters encoded in query string.
+            More information on possible values
+            `here <https://openid.net/specs/oauth-v2-multiple-response-types-1_0.html#ResponseModes>`
+            and `here <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html#FormPostResponseMode>`
+
         :return:
             The auth code flow. It is a dict in this form::
 
@@ -707,6 +722,7 @@ def initiate_auth_code_flow(
             claims=_merge_claims_challenge_and_capabilities(
                 self._client_capabilities, claims_challenge),
             max_age=max_age,
+            response_mode=response_mode,
             )
         flow["claims_challenge"] = claims_challenge
         return flow
