search

openedx / edx-platform

The Open edX LMS & Studio, powering education sites around the world!
https://openedx.org
GNU Affero General Public License v3.0
7.09k stars 3.79k forks source link

fix: add query param to sso redirection during tpa pipeline #35042

Closed syedsajjadkazmii closed 5 days ago

syedsajjadkazmii commented 5 days ago

Description

In the authentication micro frontend (MFE), we need to identify whether the user has been redirected from the pipeline to the authentication MFE or from any other flow. This distinction is crucial to ensure that auto-registration only occurs for users redirected directly from the pipeline.

Other scenarios where a user can access the authentication MFE include:

robrap commented 5 days ago

Some high-level thoughts:

  1. Are there any security concerns with the query param? If someone force added the param, could they do anything bad, or would they just force a registration where there shouldn't be one? What would go wrong if it weren't from the pipeline?
  2. Where is the documentation for this new flow? It seems like you are adding a new community feature, but how would one read or learn about it? Also, if this is related to features in the AuthnMFE, could you point to related docs/PRs from this PR?
syedsajjadkazmii commented 5 days ago
  1. Are there any security concerns with the query param? If someone force added the param, could they do anything bad, or would they just force a registration where there shouldn't be one? What would go wrong if it weren't from the pipeline?

You're correct. If someone forcefully adds this parameter, it will automatically register them. However, it would have no effect if the user isn't from the pipeline or the pipeline is inactive. When the pipeline is inactive, this query parameter is essentially useless. Its only purpose is to indicate that the user has been redirected from the pipeline.

  1. Where is the documentation for this new flow? It seems like you are adding a new community feature, but how would one read or learn about it? Also, if this is related to features in the AuthnMFE, could you point to related docs/PRs from this PR?

This is not related to any new flow or community feature. We just need a way to determine if a user is coming from the pipeline or not. This is something we need for 2U.

syedsajjadkazmii commented 5 days ago

Closing it because it was an org specific change and we figured out a way to achieve our use-case without it.