qr code image

[MdreW]

Hi all, i'm studying this library for the satosa's integration. At this moment the backend respond a web page with an image of qr code. The discovery page, on button click, open a iframe on qrcode page. With this solution I look some problem:

• an iframe is considered dangerous from many people (right or not)
• many web server have enabled HTTP header X-Frame-Options: DENY
• an iframe from same site is necesary?
• is not simple modify the qr page and can require fork the library
• is uncomfortable for a js template
• add requirements unecessary and is not 'satosa style'
• is a little bit too much

For satosa a simple solution is render a json from the qr code page. Es: {code: xxxxxxxxxxx, ttl: 150}. With js we read async the json and render qrcode directly in the page (no iframe, jinja or graphics libraries). If it can be useful, i can make a POC of this discovery page type

But in generally i don't think that an auth library must generate html, svg or png. If is usefull, and can be, should be divided in more modules.

My2C

[peppelinux]

Hi @MdreW

you're right, that's why we have this here https://github.com/italia/Satosa-Saml2Spid/blob/eudi/example/uwsgi_setup/nginx/net_proxy.conf#L59

I'm not a lover of the iframe, then I would like to improve that discovery page.

the templates can be customized and their path configured here, so you don't have to fork for UI customizations.

JS template MUST be improved, that's a PoC and I'm aware of this.

Can you give more explaination about these two?

add requirements unecessary and is not 'satosa style' is a little bit too much

The code is divided by submodules as explained in the README, this is a complete toolchain where a developer may decide to use just some components and not all of them

[peppelinux]

For satosa a simple solution is render a json from the qr code page. Es: {code: xxxxxxxxxxx, ttl: 150}. With js we read async the json and render qrcode directly in the page (no iframe, jinja or graphics libraries). If it can be useful, i can make a POC of this discovery page type

yes you can!

[MdreW]

https://github.com/MdreW/discovery_async_qrcode_example - example of discovery page that creates the qr code from remote on click string. The discovery page is configured from load the remote json from https://common.intranet.isprambiente.it/code.json. The remote json contain this data: {"code": "https://www.isprambiente.gov.it/it", "ttl": 150}

must be implemented the authentication check. In response json must be added the authentication id and the url for check the status.

Is based on the last my proposal of satosa-saml2spid discovery page. The qrcode trick is in wallet_it.js.

If is a solution can be useful we can develop with more detailed.