Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Interrupted OAuth flow hijacks future requests (auth_callback_method) #49

Open
canavese opened this issue Dec 20, 2010 · 1 comment
Open

Comments

@canavese
Copy link

We're seeing a problem case where a user initiates the OAuth flow and the session gets populated with auth_callback_method set to POST. Something keeps the full flow from completing (we're doing this on mobile phones, so that's not unlikely). So the user is back navigating the rest of our application with that parameter still stuck in the session.

As long as they try to hit URLs that do not work with POST, the Authlogic Connect code will continue to turn the requests into POSTs and result in 404s. It seems like the auth_callback_method handling should be restricted to particular URLs.

@canavese
Copy link
Author

I'm trying to fix this myself, since it's a significant issue for the app I'm working on.

It seems like the "right" way to fix this would be for the CallbackFilter to compare the current path with auth_callback_url. If they match, then the request can be changed to use auth_callback_method. If it does not match, then the session should probably be cleared of all Authlogic Connect parameters. Does that sound right?

The problem I am having is that there doesn't seem to be a good way for the CallbackFilter to determine what auth_callback_url is. Any ideas?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant