Implement form_post response mode

.github/workflows/test.yaml

@@ -255,10 +255,16 @@ jobs:
           ./conformance-suite/scripts/run-test-plan.py  --expected-failures-file ./main/conformance-tests/implicit-warnings.json --expected-skips-file ./main/conformance-tests/implicit-skips.json "oidcc-implicit-certification-test-plan[server_metadata=discovery][client_registration=static_client]" ./main/conformance-tests/conformance-implicit-ci.json
       - name: Run RP logout
         run: |
-          ./conformance-suite/scripts/run-test-plan.py   "oidcc-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]"   ./main/conformance-tests/conformance-rp-initiated-logout-ci.json
+          ./conformance-suite/scripts/run-test-plan.py  "oidcc-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]"   ./main/conformance-tests/conformance-rp-initiated-logout-ci.json
       - name: Run RP backchannel
         run: |
-          ./conformance-suite/scripts/run-test-plan.py     "oidcc-backchannel-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]" ./main/conformance-tests/conformance-back-channel-logout-ci.json
+          ./conformance-suite/scripts/run-test-plan.py  "oidcc-backchannel-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]" ./main/conformance-tests/conformance-back-channel-logout-ci.json
+      - name: Run form_post basic tests
+        run: |
+          ./conformance-suite/scripts/run-test-plan.py  "oidcc-formpost-basic-certification-test-plan[server_metadata=discovery][client_registration=static_client]" ./main/conformance-tests/conformance-basic-ci.json
+      - name: Run form_post implicit tests
+        run: |
+          ./conformance-suite/scripts/run-test-plan.py  "oidcc-formpost-implicit-certification-test-plan[server_metadata=discovery][client_registration=static_client]" ./main/conformance-tests/conformance-implicit-ci.json
       - name: Stop SSP
         working-directory: ./main
         run: |

composer.json

@@ -31,7 +31,7 @@
         "psr/container": "^2.0",
         "psr/log": "^3",
         "simplesamlphp/composer-module-installer": "^1.3",
-        "simplesamlphp/openid": "~0.2.0",
+        "simplesamlphp/openid": "~0.2.3",
         "spomky-labs/base64url": "^2.0",
         "symfony/expression-language": "^7.4",
         "symfony/psr-http-message-bridge": "^7.4",

locales/en/LC_MESSAGES/oidc.po

@@ -564,3 +564,15 @@ msgstr ""
 
 msgid "enabled"
 msgstr ""
+
+msgid "Submitting..."
+msgstr ""
+
+msgid "Please wait while we redirect you..."
+msgstr ""
+
+msgid "If you are not redirected automatically, click the button below to continue."
+msgstr ""
+
+msgid "Continue"
+msgstr ""

locales/es/LC_MESSAGES/oidc.po

@@ -564,3 +564,15 @@ msgstr ""
 
 msgid "enabled"
 msgstr ""
+
+msgid "Submitting..."
+msgstr "Enviando..."
+
+msgid "Please wait while we redirect you..."
+msgstr "Por favor, espere mientras le redirigimos..."
+
+msgid "If you are not redirected automatically, click the button below to continue."
+msgstr "Si no es redirigido automáticamente, haga clic en el botón de abajo para continuar."
+
+msgid "Continue"
+msgstr "Continuar"

locales/fr/LC_MESSAGES/oidc.po

@@ -564,3 +564,16 @@ msgstr ""
 
 msgid "enabled"
 msgstr ""
+
+msgid "Submitting..."
+msgstr "Soumission en cours..."
+
+msgid "Please wait while we redirect you..."
+msgstr "Veuillez patienter pendant que nous vous redirigeons..."
+
+msgid "If you are not redirected automatically, click the button below to continue."
+msgstr "Si vous n'êtes pas redirigé automatiquement, cliquez sur le bouton ci-dessous pour continuer."
+
+msgid "Continue"
+msgstr "Continuer"
+

locales/hr/LC_MESSAGES/oidc.po

@@ -612,3 +612,15 @@ msgstr "onemogućeno"
 
 msgid "enabled"
 msgstr "omogućeno"
+
+msgid "Submitting..."
+msgstr "Slanje u tijeku..."
+
+msgid "Please wait while we redirect you..."
+msgstr "Molimo pričekajte dok vas preusmjerimo..."
+
+msgid "If you are not redirected automatically, click the button below to continue."
+msgstr "Ako niste automatski preusmjereni, kliknite na gumb ispod za nastavak."
+
+msgid "Continue"
+msgstr "Nastavi"

locales/it/LC_MESSAGES/oidc.po

@@ -564,3 +564,16 @@ msgstr ""
 
 msgid "enabled"
 msgstr ""
+
+msgid "Submitting..."
+msgstr "Invio in corso..."
+
+msgid "Please wait while we redirect you..."
+msgstr "Attendere prego durante il reindirizzamento..."
+
+msgid "If you are not redirected automatically, click the button below to continue."
+msgstr "Se non vieni reindirizzato automaticamente, fai clic sul pulsante qui sotto per continuare."
+
+msgid "Continue"
+msgstr "Continua"
+

locales/nl/LC_MESSAGES/oidc.po

@@ -518,3 +518,15 @@ msgstr "uitgeschakeld"
 
 msgid "enabled"
 msgstr "ingeschakeld"
+
+msgid "Submitting..."
+msgstr "Verzenden..."
+
+msgid "Please wait while we redirect you..."
+msgstr "Wacht alstublieft terwijl u wordt doorgestuurd..."
+
+msgid "If you are not redirected automatically, click the button below to continue."
+msgstr "Als u niet automatisch wordt doorgestuurd, klik dan op de onderstaande knop om door te gaan."
+
+msgid "Continue"
+msgstr "Doorgaan"

public/assets/js/src/formpost.js

@@ -0,0 +1 @@
+document.getElementById('formpost').submit();

routing/services/services.yml

@@ -67,6 +67,12 @@ services:
   SimpleSAML\Module\oidc\Server\ResponseTypes\TokenResponse:
     factory: ['@SimpleSAML\Module\oidc\Factories\TokenResponseFactory', 'build']
 
+  SimpleSAML\Module\oidc\Server\ResponseModes\:
+    resource: '../../src/Server/ResponseModes/*'
+
+  SimpleSAML\Configuration:
+    factory: ['SimpleSAML\Configuration', 'getInstance']
+
   oidc.key.private:
     class: League\OAuth2\Server\CryptKey
     factory: ['@SimpleSAML\Module\oidc\Factories\CryptKeyFactory', 'buildPrivateKey']

src/Controllers/Admin/ClientController.php

@@ -239,6 +239,7 @@ public function edit(Request $request): Response
 
         $clientData = $originalClient->toArray();
         $clientData['allowed_origin'] = $clientAllowedOrigins;
+        $clientData[ClientEntity::KEY_ALLOWED_RESPONSE_MODES] = $originalClient->getAllowedResponseModes();
 
         // Handle extra metadata
 
@@ -318,7 +319,6 @@ protected function buildClientEntityFromFormData(
         ?string $owner = null,
         bool $isGeneric = false,
     ): ClientEntityInterface {
-        /** @var array $data */
         $data = $form->getValues('array');
 
         if (
@@ -358,6 +358,10 @@ protected function buildClientEntityFromFormData(
             ClaimsEnum::IdTokenSignedResponseAlg->value => $idTokenSignedResponseAlg,
         ];
 
+        $allowedResponseModes = is_array($data[ClientEntity::KEY_ALLOWED_RESPONSE_MODES]) ?
+        $data[ClientEntity::KEY_ALLOWED_RESPONSE_MODES] : [];
+        $extraMetadata[ClientEntity::KEY_ALLOWED_RESPONSE_MODES] = $allowedResponseModes;
+
         return $this->clientEntityFactory->fromData(
             $identifier,
             $secret,

src/Entities/ClientEntity.php

@@ -23,6 +23,7 @@
 use SimpleSAML\Module\oidc\Entities\Interfaces\ClientEntityInterface;
 use SimpleSAML\OpenID\Codebooks\ClaimsEnum;
 use SimpleSAML\OpenID\Codebooks\ClientRegistrationTypesEnum;
+use SimpleSAML\OpenID\Codebooks\ResponseModesEnum;
 
 class ClientEntity implements ClientEntityInterface
 {
@@ -54,6 +55,7 @@ class ClientEntity implements ClientEntityInterface
     public const string KEY_EXPIRES_AT = 'expires_at';
     public const string KEY_IS_GENERIC = 'is_generic';
     public const string KEY_EXTRA_METADATA = 'extra_metadata';
+    public const string KEY_ALLOWED_RESPONSE_MODES = 'allowed_response_modes';
 
 
     private string $secret;
@@ -388,4 +390,20 @@ public function getIdTokenSignedResponseAlg(): ?string
 
         return $idTokenSignedResponseAlg;
     }
+
+    public function getAllowedResponseModes(): array
+    {
+        /** @psalm-suppress MixedAssignment */
+        $allowedResponseModes = $this->extraMetadata[self::KEY_ALLOWED_RESPONSE_MODES] ?? null;
+
+        if (is_array($allowedResponseModes)) {
+            return $allowedResponseModes;
+        }
+
+        return [
+            ResponseModesEnum::Query->value,
+            ResponseModesEnum::Fragment->value,
+            ResponseModesEnum::FormPost->value,
+        ];
+    }
 }

src/Entities/Interfaces/ClientEntityInterface.php

@@ -82,4 +82,5 @@ public function isGeneric(): bool;
 
     public function getExtraMetadata(): array;
     public function getIdTokenSignedResponseAlg(): ?string;
+    public function getAllowedResponseModes(): array;
 }

src/Factories/Grant/ImplicitGrantFactory.php

@@ -43,7 +43,6 @@ public function build(): ImplicitGrant
             $this->accessTokenRepository,
             $this->requestRulesManager,
             $this->requestParamsResolver,
-            '#',
             $this->accessTokenEntityFactory,
         );
     }

src/Factories/RequestRulesManagerFactory.php

@@ -31,11 +31,15 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestObjectRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredNonceRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule;
+use SimpleSAML\Module\oidc\Server\ResponseModes\FormPostResponseMode;
+use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode;
+use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode;
 use SimpleSAML\Module\oidc\Services\AuthenticationService;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver;
@@ -72,6 +76,9 @@ public function __construct(
         private readonly AuthenticatedOAuth2ClientResolver $authenticatedOAuth2ClientResolver,
         private readonly ?FederationCache $federationCache = null,
         private readonly ?ProtocolCache $protocolCache = null,
+        private readonly QueryResponseMode $queryResponseMode,
+        private readonly FragmentResponseMode $fragmentResponseMode,
+        private readonly FormPostResponseMode $formPostResponseMode,
     ) {
     }
 
@@ -107,6 +114,14 @@ private function getDefaultRules(): array
             ),
             new ClientRedirectUriRule($this->requestParamsResolver, $this->helpers, $this->moduleConfig),
             new RequestObjectRule($this->requestParamsResolver, $this->helpers, $this->jwksResolver),
+            new ResponseModeRule(
+                $this->requestParamsResolver,
+                $this->helpers,
+                $this->moduleConfig,
+                $this->queryResponseMode,
+                $this->fragmentResponseMode,
+                $this->formPostResponseMode,
+            ),
             new PromptRule(
                 $this->requestParamsResolver,
                 $this->helpers,