Closed bwaidelich closed 3 years ago
As discussed earlier today, instead of making those parameter configurable (i.e. extend the flownative/oauth2-client
or override the finishAuthorizationAction
) in order to trigger the Flow authentication directly before the final redirect, we decided to extend the SetJwtCookieMiddleware
instead such that it removes the query parameters and triggers yet another redirect.
After finalizing the OIDC authentication, the
finishAuthorizationAction
of theflownative/oauth2-client
package is triggered which results in a final redirect that includes OIDC parametersflownative_oidc
andflownative_oauth2_authorization_id_oidc
that are picked up by theSetJwtCookieMiddleware
in order to set a corresponding JWT cookie.Afterwards the two query parameters reside in the requested URL (e.g.
/some-path?flownative_oidc=eyJ...%3D%3D&flownative_oauth2_authorization_id_oidc=oidc-....
). This is not beatiful (especially when URLs are bookmarked or shared) and it can even lead to errors if the URL is re-requested at a later point (e.g. via Browser Refresh).