peppelinux
commented
11 months ago For the highest level of security I have decided to not allow JS to automatically redirect the authenticated user back to the RP, the the "authentication successful" message must be provided with a link/button that takes the user will to continue the flow
this decision is led by the security of the cookie, that in this implementation is configured as httponly, then if the RP authenticates the browser according to a cookie, disallowing the use/access to the cookie with JS (and then Ajax) the request would be done to the RP without the cookie and then the RP would make the authentication fails
this is true for the cross device flow
Delete this step in the process because it is redundant: the user will already have received a positive feedback within the IT Wallet/ app IO.
--> This is a NEW requirement