search

element-hq / element-web

A glossy Matrix collaboration client for the web.
https://element.io
Apache License 2.0
10.82k stars 1.91k forks source link

SSO login should use state parameter #27217

Open Johennes opened 3 months ago

Johennes commented 3 months ago

Your use case

What would you like to do?

The spec recommends clients to use a unique identifier in the SSO redirect URL to guard against unsolicited login attempts. Element Web doesn't appear to do this at the moment:

https://matrix-client.matrix.org/_matrix/client/v3/login/sso/redirect/oidc-github?redirectUrl=https%3A%2F%2Fapp.element.io%2F&org.matrix.msc3824.action=login

Why would you like to do it?

For added security.

How would you like to achieve it?

Maybe dice a state, put it into localStorage and verify it upon redirection?

Have you considered any alternatives?

No response

Additional context

No response

t3chguy commented 3 months ago

This is already in done in Element Desktop. Element Web has other mitigations against unsolicited login attempts. In Native OIDC it properly uses the state parameter