Bug #7614
To help registration and password reset views, IdP should pass a next URL containing the nonce to the login page
100%
Description
When login page gets a nonce parameter and authentication succeed, it passes this nonce to the next URL so that for example an IdP can find the state linked to the received authentication request or check that an authentication event linked to a received request really happened. (it's needed for SAML if the forceAuthn flag is set or with CAS if the renew parameter is used).
If we want registration or password not to block authentications flow they must authenticate the user when their work is finished (done) and redirect to the next url view. Currently they do redirect but the nonce parameter is missing. To help them IdP should suffix the nonce parameter themselve. In the end we can even remove the nonce adding from the login view, so that IdP can even name this parameter however they want.
Révisions associées
Make CAS IdP pass the nonce directly in the continue URL (fixes #7514)
When login page gets a nonce parameter and authentication succeed, it
passes this nonce to the next URL so that for example an IdP can find
the state linked to the received authentication request or check that an
authentication event linked to a received request really happened. (it's
needed for SAML if the forceAuthn flag is set or with CAS if the renew
parameter is used).
If we want registration or password not to block authentications flow
they must authenticate the user when their work is finished (done) and
redirect to the next url view. Currently they do redirect but the nonce
parameter is missing. To help them IdP should suffix the nonce parameter
themselve. In the end we can even remove the nonce adding from the login
view, so that IdP can even name this parameter however they want.
Historique
Mis à jour par Benjamin Dauvergne il y a presque 9 ans
- Statut changé de Nouveau à Solution déployée
- % réalisé changé de 0 à 100
Mis à jour par Benjamin Dauvergne il y a presque 9 ans
- Statut changé de Solution déployée à Résolu (à déployer)
Mis à jour par Benjamin Dauvergne il y a environ 8 ans
- Statut changé de Résolu (à déployer) à Solution déployée
Mis à jour par Benjamin Dauvergne il y a plus de 6 ans
- Statut changé de Solution déployée à Fermé
In SAML IdP makes need_login() directly set the nonce parameter in the return url (#7614)
When login page gets a nonce parameter and authentication succeed, it
passes this nonce to the next URL so that for example an IdP can find
the state linked to the received authentication request or check that an
authentication event linked to a received request really happened. (it's
needed for SAML if the forceAuthn flag is set or with CAS if the renew
parameter is used).
If we want registration or password not to block authentications flow
they must authenticate the user when their work is finished (done) and
redirect to the next url view. Currently they do redirect but the nonce
parameter is missing. To help them IdP should suffix the nonce parameter
themselve. In the end we can even remove the nonce adding from the login
view, so that IdP can even name this parameter however they want.