Create a state id without restart url #26
Conversation
The restart url only makes sense for saml idps, and it will potentially leak quite a bit of information that was encoded in the url to the OP. Also the shorted state parameter makes for nice urls.
|
The problem with removing the restart URL is that if something goes wrong, it's impossible to recover from that... |
|
As far as I understand it, the restart url is only used to trigger a "idp initiated login" in saml flows if the state was somehow missing. OpenID Connect and OAuth2 has no such thing. In fact, if a oauth2 client did respond to a unsolicited login response, this would be considered a CSRF vulnerability in the client and it is explicitly forbidden by the oauth2 specs. What error scenarios were you thinking of that could be recovered by having this url in the state? |
|
Could you make this a configuration option? I understand your point about it being forbidden by oauth2 spec but it seems that CSRF is a "feature" of saml since there is IDP initiated logins and SP have request initiated logins, both with can be initiated by any party. The error scenario that is most common for us, where having the restart url could be useful, is when users decided to click back in the browser and Google/etc sends us a new code. Currently we just tell the user not to click back, but we may want to handle it with the restart url in the future. |
The restart url only makes sense for saml idps, and it will
potentially leak quite a bit of information that was encoded in the
url to the OP. Also the shorted state parameter makes for nice urls.