Open clement-dufaure opened 6 months ago
Shoud we reintroduce this switch in admin panel or should we definitively remove support for accepting logout responses without state parameter ?
As stated in the FranceConnect documentation for the Logout Endpoint, the state
parameter is required. So I think we could drop support for logout responses without state parameter.
Fyi, this switch was introduced because France connect stopped sending the parameter in logout response (see issue #6). If this was corrected by FC, it seems best to not reintroduce it.
Previous version of this plugin had a switch to allow for the absence of the state parameter in franceconnect logout response (for csrf protection)
Shoud we reintroduce this switch in admin panel or should we definitively remove support for accepting logout responses without state parameter ?
It's about code around https://github.com/InseeFr/Keycloak-FranceConnect/blob/master/src/main/java/fr/insee/keycloak/providers/common/AbstractBaseIdentityProvider.java#L202C1-L211C100