reta commented on code in PR #3241:
URL: https://github.com/apache/cxf/pull/3241#discussion_r3456494439
##########
rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java:
##########
@@ -57,18 +57,42 @@ public Response completeAuthentication(@Context
OidcClientTokenContext oidcConte
URI redirectUri = null;
MultivaluedMap<String, String> state = oidcContext.getState();
String location = state != null ? state.getFirst("state") : null;
- if (location == null && defaultLocation != null) {
+ if (location != null) {
Review Comment:
@coheigea need your advice please, the usage of `state` for redirect URL
look very suspicious, I haven't found any references in OIDC RP specs of such
designation, is it correct or I am missing something? thank you
##########
rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java:
##########
@@ -57,18 +57,42 @@ public Response completeAuthentication(@Context
OidcClientTokenContext oidcConte
URI redirectUri = null;
MultivaluedMap<String, String> state = oidcContext.getState();
String location = state != null ? state.getFirst("state") : null;
- if (location == null && defaultLocation != null) {
+ if (location != null) {
Review Comment:
@coheigea need your advice please, the usage of `state` for redirect URL
looks very suspicious, I haven't found any references in OIDC RP specs of such
designation, is it correct or I am missing something? thank you
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
