1
votes

I'm working on integrating Spring Security with CAS by openid connect of authorization_code flow. According to openid connect protocol, there are following steps:

  1. ....
  2. browser get Authentication and code from OpenID Provider
  3. browser send the code to client
  4. client makes token request to OpenID provider for access token.
  5. ....

The issue happened on step 4. Spring Security make the request and put the grant_type, code info into body instead of the url. But CAS require to put the code info into url. [CAS API for Authorization Code]

Does anybody has experience with such situation? Any Suggestion is appreciate

1

1 Answers

1
votes

You control how the code is delivered to the client using the response_mode parameter during the initial authentication request.

It specifies the method that should be used to send the resulting authorization code back to your app. Can be form_post or fragment. For web applications, we recommend using response_mode=form_post, to ensure the most secure transfer of tokens to your application.