[QUESTION] Support for absence of state parameter in logout response

InseeFr / Keycloak-FranceConnect

Extension Keycloak facilitant l'utilisation de FranceConnect

MIT License

87 stars 31 forks source link

[QUESTION] Support for absence of state parameter in logout response #106

Open clement-dufaure opened 6 months ago

clement-dufaure commented 6 months ago

Previous version of this plugin had a switch to allow for the absence of the state parameter in franceconnect logout response (for csrf protection)

Shoud we reintroduce this switch in admin panel or should we definitively remove support for accepting logout responses without state parameter ?

It's about code around https://github.com/InseeFr/Keycloak-FranceConnect/blob/master/src/main/java/fr/insee/keycloak/providers/common/AbstractBaseIdentityProvider.java#L202C1-L211C100

lme-atolcd commented 6 months ago

Shoud we reintroduce this switch in admin panel or should we definitively remove support for accepting logout responses without state parameter ?

As stated in the FranceConnect documentation for the Logout Endpoint, the state parameter is required. So I think we could drop support for logout responses without state parameter.

micedre commented 6 months ago

Fyi, this switch was introduced because France connect stopped sending the parameter in logout response (see issue #6). If this was corrected by FC, it seems best to not reintroduce it.