dxbjavid commented on code in PR #3241:
URL: https://github.com/apache/cxf/pull/3241#discussion_r3468442227
##########
rt/rs/security/sso/oidc/src/main/java/org/apache/cxf/rs/security/oidc/rp/OidcRpAuthenticationService.java:
##########
@@ -57,18 +57,42 @@ public Response completeAuthentication(@Context
OidcClientTokenContext oidcConte
URI redirectUri = null;
MultivaluedMap<String, String> state = oidcContext.getState();
String location = state != null ? state.getFirst("state") : null;
- if (location == null && defaultLocation != null) {
+ if (location != null) {
Review Comment:
moved it into the filter. toRequestState now drops the state value when it
isn't same-origin, so the caller-supplied parameter can't collide with the
redirect query the filter writes and completeAuthentication goes back to its
original form. relative and same scheme/authority values are kept,
cross-origin, protocol-relative and userinfo-host ones are dropped and it falls
back to defaultLocation. the test moved to OidcRpAuthenticationFilterTest to
cover toRequestState directly.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
