SPCP update Target/relayState validation

[timotheeg]

Context

SPCP is in the process of hardening the authentication flow by validating that the argument Target only contains whitelisted domains.

With Form however, we do not supply Target as a fully qualified URL. Instead, we supply a custom-formatted path-ike string as follows:

/<FORM_ID>,<REMEMBER_ME>

Where FORM_ID is alphanumerical, and REMEMBER_ME is a string enum of values true or false.

Not using a fully qualified URL is a security feature. It ensures we never do a blind redirect when the call comes back, instead we will always validate the form ID and reconstruct a valid URL. No arbitrary URL injection is possible.

The risk here however is that SPCP could be failing domain whitelisting validation (since we do not supply a domain), and causing our integration to break. SPCP has noticed our custom format however and is in the process of ensuring our integration still works even after their hardening.

TODO

• When SPCP informs us, test on staging that integration still works
• Gather information from SPCP of exactly what whitelisting rules they have added, and whether this limits our ability to update Target in the future.
• Document the restriction, and add comment in code, such that anyone wishing to add new information to the Target is aware they may require a change request on SPCP side as well

This is a deferred P1 ticket: It is not urgent now, but it needs to be picked up right away as soon as SPCP informs us their hardening is done.

[r00dgirl]

pending spcp