Document ID : KB000093599
Last Modified Date : 01/05/2018
Show Technical Document Details
Customer is using Implicit flow C SHARP APS.NET application expecting access token from APIM OAuth

1. Client login receives OAuth token from APIM gateway
2. Successfully gets a token then clicks GRANT - forwards to  ASP.NET application with id_token in URL

NOTE: the implicit flow #
Location: https://client.example.org/cb#
  &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso

At this point the client gets a blank page, exception is observed on APS.NET side 

System.Exception: An OpenID Connect response cannot contain an identity token or an access token when using response_mode=query
   at Microsoft.AspNetCore.Authentication.RemoteAuthenticationHandler`1.<HandleRequestAsync>d__12.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

C SHARP ASP.NET application integration

More info on APS.NET Core:
Implicit flow uses client-side scripting.  C SHARP ASP.NET is server-side scripting solution.  This is the cause of the failure
Switched to JavaScript successfully able to process request
Additional Information:
Example POST including hre # (implicit flow):
Location: https://client.example.org/cb#
  &id_token=eyJ0 ... NiJ9.eyJ1c ... I6IjIifX0.DeWt4Qu ... ZXso

The browser would then exclude the "fragment" when it redirects to the target location. JavaScript code in the browser is expected to submit the relevant token(s) using a more secure mechanism (e.g. POST body).
According to “The OAuth 2.0 Authorization Framework” (RFC 6749), the “Implicit flow” is for browser clients as described below:

1.3.2.  Implicit

   The implicit grant is a simplified authorization code flow optimized
   for clients implemented in a browser using a scripting language such
   as JavaScript.  In the implicit flow, instead of issuing the client
   an authorization code, the client is issued an access token directly
Their use of “Angular” should be fine, but ASP.NET is server-side scripting