From b905f2cd934315100dadc5c64203533fa4c9aa70 Mon Sep 17 00:00:00 2001
From: Michael Cornel <michael@stieler.it>
Date: Wed, 23 Jul 2025 22:40:12 +0200
Subject: [PATCH] feat: use non-default authorization request response mode in
 OIDC providers (#3055)

* fix: OIDC sets response mode

* Update CHANGELOG
---
 CHANGELOG.md           |  1 +
 providers/oidc.go      |  5 +++++
 providers/oidc_test.go | 29 +++++++++++++++++++++++++++++
 3 files changed, 35 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ea7b0b09..78718cc3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -14,6 +14,7 @@
 - [#2359](https://github.com/oauth2-proxy/oauth2-proxy/pull/2359) feat: add SourceHut (sr.ht) provider(@bitfehler)
 - [#2524](https://github.com/oauth2-proxy/oauth2-proxy/pull/2524) fix: regex substitution for $ signs in upstream path handling before running envsubst (@dashkan / @tuunit)
 - [#3104](https://github.com/oauth2-proxy/oauth2-proxy/pull/3104) feat(cookie): add feature support for cookie-secret-file (@sandy2008)
+- [#3055](https://github.com/oauth2-proxy/oauth2-proxy/pull/3055) feat: support non-default authorization request response mode also for OIDC providers (@stieler-it)
 
 # V7.10.0
 
diff --git a/providers/oidc.go b/providers/oidc.go
index 43b5227e..15598aba 100644
--- a/providers/oidc.go
+++ b/providers/oidc.go
@@ -61,6 +61,11 @@ func (p *OIDCProvider) GetLoginURL(redirectURI, state, nonce string, extraParams
 	if !p.SkipNonce {
 		extraParams.Add("nonce", nonce)
 	}
+	// Response mode should only be set if a non default mode is requested
+	if p.AuthRequestResponseMode != "" {
+		extraParams.Add("response_mode", p.AuthRequestResponseMode)
+	}
+
 	loginURL := makeLoginURL(p.Data(), redirectURI, state, extraParams)
 	return loginURL.String()
 }
diff --git a/providers/oidc_test.go b/providers/oidc_test.go
index 6a49f8ff..81a70eb4 100644
--- a/providers/oidc_test.go
+++ b/providers/oidc_test.go
@@ -275,3 +275,32 @@ func TestOIDCProviderCreateSessionFromToken(t *testing.T) {
 		})
 	}
 }
+
+func TestOIDCProviderResponseModeConfigured(t *testing.T) {
+	providerData := &ProviderData{
+		LoginURL: &url.URL{
+			Scheme: "http",
+			Host:   "my.test.idp",
+			Path:   "/oauth/authorize",
+		},
+		AuthRequestResponseMode: "form_post",
+	}
+	p := NewOIDCProvider(providerData, options.OIDCOptions{})
+
+	result := p.GetLoginURL("https://my.test.app/oauth", "", "", url.Values{})
+	assert.Contains(t, result, "response_mode=form_post")
+}
+
+func TestOIDCProviderResponseModeNotConfigured(t *testing.T) {
+	providerData := &ProviderData{
+		LoginURL: &url.URL{
+			Scheme: "http",
+			Host:   "my.test.idp",
+			Path:   "/oauth/authorize",
+		},
+	}
+	p := NewOIDCProvider(providerData, options.OIDCOptions{})
+
+	result := p.GetLoginURL("https://my.test.app/oauth", "", "", url.Values{})
+	assert.NotContains(t, result, "response_mode")
+}