[Webkit-unassigned] [Bug 188165] iOS 12 Safari breaks ASP.NET Core 2.1 OIDC authentication

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Tue Dec 4 12:20:51 PST 2018


--- Comment #21 from Nicolás Sabena <nico.sabena at hotmail.com> ---
Hi Matt Roberts. 
Just to clarify, my change means that the response from the authorization server to the application happens in a GET (as opposed to a POST), which seems to play nicer with WebKit's restrictions.

By changing the response_type to "code", you force the use of the "authorization code flow" (as opposed to the default "hybrid flow"), which means that authorization server returns a code through a GET (redirect). From the application perspective, there needs to be a request to the token endpoint, to exchange the received code for the access token and ID token (assuming that the scope included "openid"). This is of course not ideal (an extra request is needed, plus you need to manage the client secret to authorize the request to the token endpoint).

But, at least in my tests, this token exchange was done automatically by the .Net Core OIDC middleware, so I get the claims from the ID Token transparently (i.e. no other changes in code needed).

You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20181204/6bfafe13/attachment.html>

More information about the webkit-unassigned mailing list