The spec recommends clients to use a unique identifier in the SSO redirect URL to guard against unsolicited login attempts. Element Web doesn't appear to do this at the moment:
This is already in done in Element Desktop. Element Web has other mitigations against unsolicited login attempts. In Native OIDC it properly uses the state parameter
Your use case
What would you like to do?
The spec recommends clients to use a unique identifier in the SSO redirect URL to guard against unsolicited login attempts. Element Web doesn't appear to do this at the moment:
https://matrix-client.matrix.org/_matrix/client/v3/login/sso/redirect/oidc-github?redirectUrl=https%3A%2F%2Fapp.element.io%2F&org.matrix.msc3824.action=login
Why would you like to do it?
For added security.
How would you like to achieve it?
Maybe dice a state, put it into
localStorage
and verify it upon redirection?Have you considered any alternatives?
No response
Additional context
No response