simplesamlphp · Harm-r · May 6, 2026 · May 6, 2026 · May 6, 2026 · May 6, 2026
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -259,6 +259,12 @@ jobs:
       - name: Run RP backchannel
         run: |
           ./conformance-suite/scripts/run-test-plan.py     "oidcc-backchannel-rp-initiated-logout-certification-test-plan[response_type=code][client_registration=static_client]" ./main/conformance-tests/conformance-back-channel-logout-ci.json
+      - name: Run form_post basic tests
+        run: |
+          ./conformance-suite/scripts/run-test-plan.py  "oidcc-formpost-basic-certification-test-plan[server_metadata=discovery][client_registration=static_client]" ./main/conformance-tests/conformance-basic-ci.json
+      - name: Run form_post implicit tests
+        run: |
+          ./conformance-suite/scripts/run-test-plan.py  "oidcc-formpost-implicit-certification-test-plan[server_metadata=discovery][client_registration=static_client]" ./main/conformance-tests/conformance-implicit-ci.json
       - name: Stop SSP
         working-directory: ./main
         run: |

diff --git a/public/assets/js/src/formpost.js b/public/assets/js/src/formpost.js
@@ -0,0 +1 @@
+document.forms[0].submit();
diff --git a/routing/services/services.yml b/routing/services/services.yml
@@ -67,6 +67,12 @@ services:
   SimpleSAML\Module\oidc\Server\ResponseTypes\TokenResponse:
     factory: ['@SimpleSAML\Module\oidc\Factories\TokenResponseFactory', 'build']
 
+  SimpleSAML\Module\oidc\Server\ResponseModes\:
+    resource: '../../src/Server/ResponseModes/*'
+
+  SimpleSAML\Configuration:
+    factory: ['SimpleSAML\Configuration', 'getInstance']
+
   oidc.key.private:
     class: League\OAuth2\Server\CryptKey
     factory: ['@SimpleSAML\Module\oidc\Factories\CryptKeyFactory', 'buildPrivateKey']

diff --git a/src/Controllers/Admin/ClientController.php b/src/Controllers/Admin/ClientController.php
@@ -239,6 +239,7 @@ public function edit(Request $request): Response
 
         $clientData = $originalClient->toArray();
         $clientData['allowed_origin'] = $clientAllowedOrigins;
+        $clientData['response_modes_allowed'] = $originalClient->getAllowedResponseModes();
 
         // Handle extra metadata
 
@@ -358,6 +359,9 @@ protected function buildClientEntityFromFormData(
             ClaimsEnum::IdTokenSignedResponseAlg->value => $idTokenSignedResponseAlg,
         ];
 
+        $allowedResponseModes = is_array($data['response_modes_allowed']) ? $data['response_modes_allowed'] : [];
+        $extraMetadata['allowed_response_modes'] = $allowedResponseModes;
+
         return $this->clientEntityFactory->fromData(
             $identifier,
             $secret,

diff --git a/src/Entities/ClientEntity.php b/src/Entities/ClientEntity.php
@@ -388,4 +388,21 @@ public function getIdTokenSignedResponseAlg(): ?string
 
         return $idTokenSignedResponseAlg;
     }
+
+    public function getAllowedResponseModes(): array
+    {
+        if (!is_array($this->extraMetadata)) {
+            // Default to allowing all response modes
+            return ['query', 'fragment', 'form_post'];
+        }
+
+        $allowedResponseModes = $this->extraMetadata['allowed_response_modes'] ?? null;
+
+        if (!is_array($allowedResponseModes)) {
+            // Default to allowing all response modes
+            return ['query', 'fragment', 'form_post'];
+        }
+
+        return $allowedResponseModes;
+    }
 }
diff --git a/src/Entities/Interfaces/ClientEntityInterface.php b/src/Entities/Interfaces/ClientEntityInterface.php
@@ -82,4 +82,5 @@ public function isGeneric(): bool;
 
     public function getExtraMetadata(): array;
     public function getIdTokenSignedResponseAlg(): ?string;
+    public function getAllowedResponseModes(): array;
 }
diff --git a/src/Factories/Grant/ImplicitGrantFactory.php b/src/Factories/Grant/ImplicitGrantFactory.php
@@ -43,7 +43,6 @@ public function build(): ImplicitGrant
             $this->accessTokenRepository,
             $this->requestRulesManager,
             $this->requestParamsResolver,
-            '#',
             $this->accessTokenEntityFactory,
         );
     }

diff --git a/src/Factories/RequestRulesManagerFactory.php b/src/Factories/RequestRulesManagerFactory.php
@@ -31,11 +31,15 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequestObjectRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredNonceRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\RequiredOpenIdScopeRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseTypeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeOfflineAccessRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ScopeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule;
+use SimpleSAML\Module\oidc\Server\ResponseModes\FormPostResponseMode;
+use SimpleSAML\Module\oidc\Server\ResponseModes\FragmentResponseMode;
+use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode;
 use SimpleSAML\Module\oidc\Services\AuthenticationService;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\Module\oidc\Utils\AuthenticatedOAuth2ClientResolver;
@@ -72,6 +76,9 @@ public function __construct(
         private readonly AuthenticatedOAuth2ClientResolver $authenticatedOAuth2ClientResolver,
         private readonly ?FederationCache $federationCache = null,
         private readonly ?ProtocolCache $protocolCache = null,
+        private readonly QueryResponseMode $queryResponseMode,
+        private readonly FragmentResponseMode $fragmentResponseMode,
+        private readonly FormPostResponseMode $formPostResponseMode,
     ) {
     }
 
@@ -107,6 +114,13 @@ private function getDefaultRules(): array
             ),
             new ClientRedirectUriRule($this->requestParamsResolver, $this->helpers, $this->moduleConfig),
             new RequestObjectRule($this->requestParamsResolver, $this->helpers, $this->jwksResolver),
+            new ResponseModeRule(
+                $this->requestParamsResolver,
+                $this->helpers,
+                $this->queryResponseMode,
+                $this->fragmentResponseMode,
+                $this->formPostResponseMode,
+            ),
             new PromptRule(
                 $this->requestParamsResolver,
                 $this->helpers,

diff --git a/src/Forms/ClientForm.php b/src/Forms/ClientForm.php
@@ -284,6 +284,12 @@ public function getValues(string|object|bool|null $returnType = null, ?array $co
         $values[ClaimsEnum::IdTokenSignedResponseAlg->value] = empty($idTokenSignedResponseAlg) ?
         null : $idTokenSignedResponseAlg;
 
+        $responseModesAllowed = is_array($values['response_modes_allowed']) ? $values['response_modes_allowed'] : [];
+        $values['response_modes_allowed'] = array_intersect(
+            $responseModesAllowed,
+            array_keys($this->getAllowedResponseModesValues()),
+        );
+
         return $values;
     }
 
@@ -336,6 +342,9 @@ public function setDefaults(object|array $data, bool $erase = false): static
             $data['auth_source'] = null;
         }
 
+        $data['response_modes_allowed'] = is_array($data['response_modes_allowed']) ?
+        $data['response_modes_allowed'] : [];
+
         parent::setDefaults($data, $erase);
 
         return $this;
@@ -354,6 +363,7 @@ protected function buildForm(): void
         $this->onValidate[] = $this->validateBackChannelLogoutUri(...);
         $this->onValidate[] = $this->validateEntityIdentifier(...);
         $this->onValidate[] = $this->validateClientRegistrationTypes(...);
+        $this->onValidate[] = $this->validateResponseModes(...);
         $this->onValidate[] = $this->validateFederationJwks(...);
         $this->onValidate[] = $this->validateProtocolJwks(...);
         $this->onValidate[] = $this->validateJwksUri(...);
@@ -423,6 +433,46 @@ protected function buildForm(): void
             ->setHtmlAttribute('class', 'full-width')
             ->setItems(['RS256'], false)
             ->setPrompt(Translate::noop('-'));
+
+        $this->addMultiSelect(
+            'response_modes_allowed',
+            Translate::noop('Allowed Response Modes'),
+            $this->getAllowedResponseModesValues(),
+            3,
+        )->setHtmlAttribute('class', 'full-width')
+         ->setRequired(Translate::noop('At least one response mode is required.'));
+    }
+
+    /**
+     * Validate provided response modes
+     *
+     * @throws \Exception
+     */
+    public function validateResponseModes(Form $form): void
+    {
+        $values = $form->getValues(self::TYPE_ARRAY);
+        /** @var string[]|null $responseModes */
+        $responseModes = $values['response_modes_allowed'] ?? null;
+        if (is_array($responseModes)) {
+            $allowed = array_keys($this->getAllowedResponseModesValues());
+            foreach ($responseModes as $mode) {
+                if (!in_array($mode, $allowed, true)) {
+                    $this->addError("Invalid value: $mode");
+                }
+            }
+        }
+    }
+
+    /**
+     * @return string[] map of value => label
+     */
+    protected function getAllowedResponseModesValues(): array
+    {
+        return [
+            'query' => 'query',
+            'fragment' => 'fragment',
+            'form_post' => 'form_post',
+        ];
     }
 
     /**

diff --git a/src/Server/AuthorizationServer.php b/src/Server/AuthorizationServer.php
@@ -22,9 +22,11 @@
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ClientRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\IdTokenHintRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\PostLogoutRedirectUriRule;
+use SimpleSAML\Module\oidc\Server\RequestRules\Rules\ResponseModeRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\StateRule;
 use SimpleSAML\Module\oidc\Server\RequestRules\Rules\UiLocalesRule;
 use SimpleSAML\Module\oidc\Server\RequestTypes\LogoutRequest;
+use SimpleSAML\Module\oidc\Server\ResponseModes\QueryResponseMode;
 use SimpleSAML\Module\oidc\Services\LoggerService;
 use SimpleSAML\OpenID\Codebooks\HttpMethodsEnum;
 
@@ -85,13 +87,14 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O
             StateRule::class,
             ClientRule::class,
             ClientRedirectUriRule::class,
+            ResponseModeRule::class,
         ];
 
         try {
             $resultBag = $this->requestRulesManager->check(
                 $request,
                 $rulesToExecute,
-                false,
+                new QueryResponseMode(),
                 [HttpMethodsEnum::GET, HttpMethodsEnum::POST],
             );
         } catch (OidcServerException $exception) {
@@ -114,6 +117,8 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O
         $state = $resultBag->getOrFail(StateRule::class)->getValue();
         /** @var string $redirectUri */
         $redirectUri = $resultBag->getOrFail(ClientRedirectUriRule::class)->getValue();
+        /** @var \SimpleSAML\Module\oidc\Server\ResponseModes\ResponseModeInterface $responseMode */
+        $responseMode = $resultBag->getOrFail(ResponseModeRule::class)->getValue();
 
         foreach ($this->enabledGrantTypes as $grantType) {
             $this->loggerService?->debug(
@@ -157,7 +162,7 @@ public function validateAuthorizationRequest(ServerRequestInterface $request): O
             'request.',
             ['requestQueryParams' => $request->getQueryParams()],
         );
-        throw OidcServerException::unsupportedResponseType($redirectUri, $state);
+        throw OidcServerException::unsupportedResponseType($redirectUri, $state, $responseMode);
     }
 
     /**
@@ -177,7 +182,7 @@ public function validateLogoutRequest(ServerRequestInterface $request): LogoutRe
             $resultBag = $this->requestRulesManager->check(
                 $request,
                 $rulesToExecute,
-                false,
+                new QueryResponseMode(),
                 [HttpMethodsEnum::GET, HttpMethodsEnum::POST],
             );
         } catch (OidcServerException $exception) {