fix: pass standard params to storage #791
Conversation
aeneasr
force-pushed
the
standard-allow-params
branch
from
f0f4964
to
c8e469d
Compare
| @@ -159,10 +159,12 @@ func (a *Request) Merge(request Requester) { | |||
| } | |||
| } | |||
|
|
|||
| var defaultAllowedParameters = []string{"grant_type", "response_type", "scope", "client_id"} | |||
There was a problem hiding this comment.
In my own code, I use the following list:
"max_age", "prompt", "acr_values", "id_token_hint", "nonce",
// PCRE.
"code_challenge", "code_challenge_method",
// Other fields.
"display", "ui_locales", "login_hint",
There was a problem hiding this comment.
BTW, this is not really a "default" list (you cannot set it to non-default) but an "always allowed list".
There was a problem hiding this comment.
BTW, this is not really a "default" list (you cannot set it to non-default) but an "always allowed list".
True :)
I would probably drop id_token_hint because it contains a valid ID token
There was a problem hiding this comment.
Hm, thanks. You are right. I am storing that to support logout. But I should just store the subject ID, not the whole token.
There was a problem hiding this comment.
In fact, id_token_hint is from this list in fosite: https://github.com/ory/fosite/blob/master/handler/openid/flow_explicit_auth.go#L29-L35
So if you are saying this should not be stored into the database? Because fosite currently does so:
if err := c.OpenIDConnectRequestStorage.CreateOpenIDConnectSession(ctx, resp.GetCode(), ar.Sanitize(oidcParameters)); err != nil {
return errorsx.WithStack(fosite.ErrServerError.WithWrap(err).WithDebug(err.Error()))
}
There was a problem hiding this comment.
Maybe this means that subject should be extracted out earlier from the id_token_hint instead of being passed to the store inside form?
Related Issue or Design Document
Checklist
If this pull request addresses a security vulnerability,
I confirm that I got approval (please contact security@ory.sh) from the maintainers to push the changes.
Further comments