[QUESTION] Support for absence of state parameter in logout response #106
Labels
question
Further information is requested
Comments
clement-dufaure
changed the title
As stated in the FranceConnect documentation for the Logout Endpoint, the |
|
Fyi, this switch was introduced because France connect stopped sending the parameter in logout response (see issue #6). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Previous version of this plugin had a switch to allow for the absence of the state parameter in franceconnect logout response (for csrf protection)
Shoud we reintroduce this switch in admin panel or should we definitively remove support for accepting logout responses without state parameter ?
It's about code around https://github.com/InseeFr/Keycloak-FranceConnect/blob/master/src/main/java/fr/insee/keycloak/providers/common/AbstractBaseIdentityProvider.java#L202C1-L211C100
The text was updated successfully, but these errors were encountered: