Skip to content

Commit d934c73

Browse files
author
Emmanuel Oche
committed
implement response_mode
oidc supports passing the response_mode to allow redirects to send callback parameters as POST for increased security.
1 parent 14965f7 commit d934c73

File tree

2 files changed

+12
-1
lines changed

2 files changed

+12
-1
lines changed

msal/application.py

Lines changed: 9 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -636,6 +636,7 @@ def initiate_auth_code_flow(
636636
domain_hint=None, # type: Optional[str]
637637
claims_challenge=None,
638638
max_age=None,
639+
response_mode= None, # type: Optional[str]
639640
):
640641
"""Initiate an auth code flow.
641642
@@ -673,6 +674,13 @@ def initiate_auth_code_flow(
673674
If the elapsed time is greater than this value,
674675
Microsoft identity platform will actively re-authenticate the End-User.
675676
677+
:param str response_mode:
678+
OPTIONAL. Response mode for the callback; can be either "form_post"
679+
for POST to callback URI or "query" (the default) for GET with
680+
parameters encoded in query string.
681+
More information on possible values
682+
`here <https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html>`
683+
676684
MSAL Python will also automatically validate the auth_time in ID token.
677685
678686
New in version 1.15.
@@ -706,7 +714,7 @@ def initiate_auth_code_flow(
706714
domain_hint=domain_hint,
707715
claims=_merge_claims_challenge_and_capabilities(
708716
self._client_capabilities, claims_challenge),
709-
max_age=max_age,
717+
max_age=max_age, response_mode=response_mode,
710718
)
711719
flow["claims_challenge"] = claims_challenge
712720
return flow

msal/oauth2cli/oidc.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -184,6 +184,9 @@ def initiate_auth_code_flow(
184184
# Here we just automatically add it. If the caller do not want id_token,
185185
# they should simply go with oauth2.Client.
186186
_scope.append("openid")
187+
response_mode = kwargs.get("response_mode")
188+
if response_mode is not None and (response_mode != "form_post" or response_mode != "query"):
189+
raise ValueError('response_mode="form_post" or response_mode="query" is allowed')
187190
nonce = "".join(random.sample(string.ascii_letters, 16))
188191
flow = super(Client, self).initiate_auth_code_flow(
189192
scope=_scope, nonce=_nonce_hash(nonce), **kwargs)

0 commit comments

Comments
 (0)