Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC support for SimpleSamlPhp consent #210

Closed
zoghlamikaiseruqam opened this issue Nov 30, 2023 · 6 comments
Closed

OIDC support for SimpleSamlPhp consent #210

zoghlamikaiseruqam opened this issue Nov 30, 2023 · 6 comments
Milestone
v6.x

Comments

@zoghlamikaiseruqam
Copy link

zoghlamikaiseruqam commented Nov 30, 2023
edited
Loading

Hi,
We are using OIDC v2.1.2 and we are deploying the consent module offered by SSP 1.19. I was wondering if the consent module is supported by the OIDC flows in this module?
Regards,
Kaiser.
@pradtke
Copy link
Collaborator

pradtke commented Nov 30, 2023

Hi @zoghlamikaiseruqam

I believe the consent module interacts with a user, and user interaction is not support when running authproc filters from OIDC. There may be additional assumptions made in the consent module about it running in a SAML authentication context, but the main blocker for use is the user interaction portion.

@zoghlamikaiseruqam
Copy link
Author

Hi @pradtke
Thank you for your quick answer.
Yes unfortunately, it seems that the user interaction portion is not supported when running authproc filters from OIDC.
It's a kind of deal breaker since regulation policies are now asking identity providers to have user consent before transferring any user data to 3rd party SPs.
By any chance, would you have any ideas on how to work around this issue and if this ticket could be added in SSP backlogs for a near release?
Thank you!

@tvdijen
Copy link
Member

tvdijen commented Nov 30, 2023

I think that if this module would re-use SSP's ProcessingChain instead of executing the filters directly, it should be able to work with filters that do user interaction

@pradtke
Copy link
Collaborator

pradtke commented Nov 30, 2023

@tvdijen That's also what I am thinking. I have similar ticket to test out the ProcessingChain for the authoauth2 module.

@zoghlamikaiseruqam When I say the user interaction is not supported, the issue is really that the OIDC module would not resume processing the list of authprocs at the next filter, I think it would start at the beginning. This may okay in your case - if the user saves their choice then if the consent module reran it would see the saved choice and not interact with the user on the second run of the filters. However I'm not that familiar with the consent module.

As for timing for a real fix, I'm not sure. I think there would need to be some experimentation with ProcessingChain (like @tvdijen suggested) and see if it works or if it has assumption about what $state data is set in a SAML context.

@cicnavi
Copy link
Collaborator

cicnavi commented Dec 1, 2023

Related to #179

@pradtke
Copy link
Collaborator

pradtke commented Jul 11, 2024

Should be part of the next major release. Functionality merged in #228

@cicnavi cicnavi added this to the v6.x milestone Feb 1, 2025
@cicnavi cicnavi closed this as completed Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v6.x
Development

No branches or pull requests
4 participants
@tvdijen @pradtke @cicnavi @zoghlamikaiseruqam