search

simplesamlphp / simplesamlphp-module-oidc

A SimpleSAMLphp module for OIDC OP support.
Other
45 stars 22 forks source link

OIDC support for SimpleSamlPhp consent #210

Open zoghlamikaiseruqam opened 8 months ago

zoghlamikaiseruqam commented 8 months ago

Hi, We are using OIDC v2.1.2 and we are deploying the consent module offered by SSP 1.19. I was wondering if the consent module is supported by the OIDC flows in this module? Regards, Kaiser.

pradtke commented 8 months ago

Hi @zoghlamikaiseruqam

I believe the consent module interacts with a user, and user interaction is not support when running authproc filters from OIDC. There may be additional assumptions made in the consent module about it running in a SAML authentication context, but the main blocker for use is the user interaction portion.

zoghlamikaiseruqam commented 8 months ago

Hi @pradtke Thank you for your quick answer. Yes unfortunately, it seems that the user interaction portion is not supported when running authproc filters from OIDC. It's a kind of deal breaker since regulation policies are now asking identity providers to have user consent before transferring any user data to 3rd party SPs. By any chance, would you have any ideas on how to work around this issue and if this ticket could be added in SSP backlogs for a near release? Thank you!

tvdijen commented 8 months ago

I think that if this module would re-use SSP's ProcessingChain instead of executing the filters directly, it should be able to work with filters that do user interaction

pradtke commented 8 months ago

@tvdijen That's also what I am thinking. I have similar ticket to test out the ProcessingChain for the authoauth2 module.

@zoghlamikaiseruqam When I say the user interaction is not supported, the issue is really that the OIDC module would not resume processing the list of authprocs at the next filter, I think it would start at the beginning. This may okay in your case - if the user saves their choice then if the consent module reran it would see the saved choice and not interact with the user on the second run of the filters. However I'm not that familiar with the consent module.

As for timing for a real fix, I'm not sure. I think there would need to be some experimentation with ProcessingChain (like @tvdijen suggested) and see if it works or if it has assumption about what $state data is set in a SAML context.

cicnavi commented 8 months ago

Related to #179

pradtke commented 1 month ago

Should be part of the next major release. Functionality merged in #228