Login via OpenID Connect provider without registration results in redirect with userState=Authenticated

[jkoelewijn]

Login via OpenID Connect provider without registration has userState=Authenticated

Description

Login via OpenID Connect provider redirects with userState=Authenticated instead of userState=AuthenticatedNotRegistered when there is no registration for the application.

Affects versions

• 1.24.0 and possibly others

Steps to reproduce

Steps to reproduce the behavior:

1. Add OpenID Connect provider.
2. Enable for an application, but don't check "Create registration".
3. Login to application by clicking on the OpenID Connect provider button.
4. In the redirect url observe that userState=Authenticated instead of userState=AuthenticatedNotRegistered.

Expected behavior

In step 4 I would expect to see userState=AuthenticatedNotRegistered.

Additional context

When the session is remembered by FusionAuth (and no login screen is shown), then this bug is not triggered and the redirect contains userState=AuthenticatedNotRegistered.

Workaround

Let the client application check whether the applicationId claim is present in the JWT. If this is not the case, there exists no registration for the application.

[robotdan]

We'll see if we can recreate. As a side note, regardless of the redirect parameter, you should always be checking the applicationId and roles claims in the JWT.

The request parameter is more susceptible to manipulation, the JWT is signed and if you are verifying the signature - then you can know it has not been tampered with.

The request parameter is just a hint, but it should not be the only way to verify authorization to an application.

[Steve-MP]

Didn't you remove the applicationId and roles claims from the JWT in version 1.24.0? https://fusionauth.io/docs/v1/tech/release-notes/

[mooreds]

@Steve-MP only from the id_token. The access_token still has all of that information.