Strategy does not support OAuth 2.0 Form Post Response Mode

[kierans]

Please do not report security vulnerabilities here. The Responsible Disclosure Program details the procedure for disclosing security issues.

Thank you in advance for helping us to improve this library! Your attention to detail here is greatly appreciated and will help us respond as quickly as possible. For general support or usage questions, use the Auth0 Community or Auth0 Support. Finally, to avoid duplicates, please search existing Issues before submitting one here.

By submitting an Issue to this repository, you agree to the terms within the Auth0 Code of Conduct.

Describe the problem you'd like to have solved

When using a Regular Web Application client type, the strategy doesn't support using OAuth 2.0 Form Post Response Mode even though is supported by the API (form_post is available in the list of response_modes_supported options listed in my tenants OIDC configuration)

Describe the ideal solution

That when configuring the strategy, the response_mode is an option.

Alternatives and current work-arounds

Currently the strategy's default response_type of code is sufficient as the code is is exchanged for the tokens I need. However it involves an extra network round trip which is not really necessary given that the tokens can be POSTed into my application server when the browser is redirected if Form Post Response Mode was available.

Additional context

Reading through the code for this library, and seeing how it builds on passport-oauth2 I'm not sure if this library is the right place. However there doesn't appear to be an appetite to include the necessary changes in passport-oauth2 so perhaps either migrating to passport-next or implementing the necessary logic in this library is required.

[davidpatrick]

Hey @kierans thanks for raising an issue on this library. Unfortunately this library will be taking no more feature requests. You can check out the advisory notice that I raised in this PR #135