search

logto-io / logto

🧑‍🚀 The better identity infrastructure for developers and the open-source alternative to Auth0.
https://logto.io
Mozilla Public License 2.0
7.97k stars 391 forks source link

feature request: pass state through login/registration step #4574

Open some-user123 opened 10 months ago

some-user123 commented 10 months ago

What problem did you meet?

User is navigating directly to a protected route, e.g. example.com/some/deep/link and automatically forwarded to login. When handling the callback I'd like to be able to redirect the user to the original URL.

Describe what you'd like Logto to have

To my knowledge OIDC, usually allows to pass a state through the login step that is given back to the callback.

Using the vue SDK, I'd like to have the option to pass an additional state object to signIn method that is available to useHandleSignInCallback.

const { signIn } = useLogto()

...
  signIn('http://localhost:4000/auth/callback', { foo: 'bar', originalUrl: '/some/deep/link' } )
...

...
useHandleSignInCallback((state) => {
  // do something with state, e.g.
  router.push(state.originalUrl || '/')
})
wangsijie commented 10 months ago

Hi, can you save the state in LocalStorage or SessionStorage?

Btw, can you provide some additional details? It would help better understand your user scenario.

some-user123 commented 10 months ago

There are two aspects to it:

  1. OIDC has the state parameter and it should be used with an opaque string that is validated on callback to prevent certain types of attacks (https://medium.com/keycloak/the-importance-of-the-state-parameter-in-oauth-5419c94bef4c, https://stackoverflow.com/questions/35165793/what-attack-does-the-state-parameter-in-openid-connect-server-flow-prevent, https://auth0.com/docs/secure/attack-protection/state-parameters, ...). That should be supported by Logto and ideally implemented in the SDK as well.

  2. It would be nice a nice feature if the extended SDK would handle the storage and retrieval of additional state information based on this opaque token. Such functionality is e.g. implemented by the client library oidc-client-ts (https://authts.github.io/oidc-client-ts/). It allows you to pass additional state to the login request that is returned after successful/failed login attempt: https://authts.github.io/oidc-client-ts/#md:custom-state-in-user-object

Does that clarify?

wangsijie commented 10 months ago

Thanks, the team will take a discussion next week after the vacation.