Add flag __enableIdPInitiatedLogin to enable idp initiated logins #708
Conversation
| @@ -179,12 +179,14 @@ WebAuth.prototype.parseHash = function(options, cb) { | |||
| */ | |||
| WebAuth.prototype.validateAuthenticationResponse = function(options, parsedHash, cb) { | |||
| var _this = this; | |||
| options.__enableIdPInitiatedLogin = | |||
There was a problem hiding this comment.
Minor but ... I wonder if you shouldn't call this something else since it encompasses 2 different use cases here? Like options.__bypassStateChecking or thereabouts?
There was a problem hiding this comment.
Changes look OK. Backwards compatibility is maintained 👍
On #689 you mentioned "add __enableImpersonation flag to enable impersonation again". You might want to rename this PR's title to reflect that it affects "impersonation" or add a paragraph on the repo's README
|
We'll have proper docs for this flag shortly: auth0/docs#5857 |
|
var shouldBypassStateChecking = !state && !transactionState && options.__enableIdPInitiatedLogin; I don't think this solves the issue in our usecase where we set state serverside outside of our auth.js and redirect to authorize. We need a way of bypassing state checking entirely with an option for this case I think? |
|
if you redirect to |
|
Thanks for pointing me in the right direction, I have added the following which allows the state check to always pass. For security maybe we need a way of finding out if a transaction is in progress and only do this if it isn't, or passing another param to our callback page? Otherwise I guess this simply bypasses the check in all cases even if it did originate from auth0.js? |
|
Yeah, but then you, as a developer, are intentionally bypassing the state checking, there's nothing we can do. In order to be actually secure, |
this will also enable impersonation, since it's an IdP initiated login as well. The __enableImpersonation flag is still enabled so we don't break anyone that is already using it.