In OAuth User Agent flow callback may be performed via a POST request if the id_token scope is requested
Last updated 2022-02-10 ·Reference W-5933384 ·Reported By 14 users
In the OAuth User Agent flow (https://help.salesforce.com/articleView?id=remoteaccess_oauth_user_agent_flow.htm&type=5), if the corresponding connected app has been configured to return custom attributes, and the id_token scope is requested (as explained at https://help.salesforce.com/articleView?id=remoteaccess_using_id_token.htm&type=5), Salesforce may perform the callback via a POST request instead of a GET request based on the resulting callback URL's length (which would include the access token and id token in the URL fragment). This prevents certain SPAs (Single Page Applications) from retrieving the access token in the URL fragment.
1) Create a connected app. Ensure the openid scope is selected. Configure the ID token, and select Include Custom Attributes. Add a number of custom attributes containing long pieces of text.
2) Go https://login.salesforce.com/services/oauth2/authorize?response_type=token%20id_token&client_id=<client_id>&redirect_uri=<callback_URL>&nonce=<nonce_value>&scope=openid
Actual result: Callback will be performed via POST request based on the callback URL's length.
Expected result: Callback is performed via GET request.
Consider using the OAuth Web Server flow (https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_server_flow.htm&type=5). This lets you retrieve the id token via a POST request.
Alternatively if a JWT token is required with the content of the custom attributes, consider the OAuth Asset Token flow (https://help.salesforce.com/articleView?id=remoteaccess_oauth_asset_token_flow.htm&type=5) which lets you exchange an access token for a JWT.
Is it Fixed?
Any unreleased services, features, statuses, or dates referenced in this or other public statements are not currently available and may not be delivered on time or at all. Customers who purchase our services should make their purchase decisions based upon features that are currently available.