Allow fragment response mode for confidential apps

Hi there,

I am trying to build a confidential client app that has a single-page app frontend, and I’d like to follow this implementation note in the OIDC spec and use response_mode=fragment:

When response parameters are returned in the Redirection URI fragment value, the Client needs to have the User Agent parse the fragment encoded values and pass them to on to the Client’s processing logic for consumption. User Agents that have direct access to cryptographic APIs may be able to be self-contained, for instance, with all Client code being written in JavaScript.

However, if the Client does not run entirely in the User Agent, one way to achieve this is to post them to a Web Server Client for validation.

However, when I build a confidential application and request the fragment response mode, I receive an error (application logs):

Unsupported response mode: fragment

For reference, Okta does support having a confidential client use the fragment response mode. I have similar thoughts about the web_message response mode but haven’t had a chance to test that yet :grinning:

2 Likes

any chance this gets implemented?
I’m trying to use microsoft’s OIDC compliant js lib to connect to auth0:

it fully supports Authorization Code Flow with PKCE like auth0 does. only the response_mode=fragment is not supported. the ms lib does not allow to change the mode

1 Like