After supplying an onRedirectCallback function to the provider, the browser's address bar first strips the query string from the redirectUri which appears to be a redirect and then redirects the user to the appropriate page.
To some security paranoid users, this looks awkward and makes them think of scary words like, "man in the middle attack".
Propose that if onRedirectCallback is supplied, the redirectAfterLogin() function skips the window.history.replaceState call. If a consumer has gone to the trouble of supplying their own redirect callback function, they are likely going to be replacing the window history anyway.
After supplying an
onRedirectCallbackfunction to the provider, the browser's address bar first strips the query string from theredirectUriwhich appears to be a redirect and then redirects the user to the appropriate page.To some security paranoid users, this looks awkward and makes them think of scary words like, "man in the middle attack".
Propose that if
onRedirectCallbackis supplied, theredirectAfterLogin()function skips the window.history.replaceState call. If a consumer has gone to the trouble of supplying their own redirect callback function, they are likely going to be replacing the window history anyway.