Unauthenticated POST request becomes GET after authentication and loses detail

[pureza]

This is not really an issue with this plugin per se, it's more of a general OpenID Connect question, but as I'm trying out this plugin I really can't find a more appropriate place to ask.

I've got an "Add to cart" button that issues a POST request to the HTTP server. If the user is not authenticated, the kong-oidc plugin takes over and the user goes to the Identity Provider to be authenticated. However, when the user is authenticated, the Identity Provider redirects the user to the redirect_uri using a GET, which means my application loses the context of which item the user wanted to buy.

The only alternative that I can think about would be to hide the "Add to cart" button until the user logs in, but it seems like this would be an important limitation of OpenID. Is there another solution?

[Trojan295]

The redirect URL implements an mechanism to protect against CSRF attacks. An attacker could forge na request with his redirect URL and the provider would return the access token to the attacker instead. Providers have an option to limit the possible redirect URLs, so only valid requests are being processed by the provider.

The endpoint of this redirection is usually responsible of exchanging the authorization code for the access token. After that it depends on the client, if the continues with processing the request, which triggered the OIDC flow or if it drops it.

Currently the plugins doesn't cache the initial requests and simply redirects to the url in the redirect_url config. I think it would be possible to implement a mechanism to remember the initial request and proceed with it after an successful authentication.

For now I would recommend to disable such functionality from the end-user and inform him, that he needs to login.

[Trojan295]

Closing, because of no interest