Add 'session_state' to redirect query removal #67
Conversation
|
I suppose the side question is 'why allow any query parameters in the redirect url at all', but I assume there's a reason. |
AzureAD sends code, state, and session_state query parameters along with the redirect, which need to be scrubbed for this function to work.
dreamlibrarian
force-pushed
the
tsmith/automatic-redirect-url-azuread-support
branch
from
d92fdef
to
85c5e97
Compare
There was a problem hiding this comment.
Why allow any query parameters in the redirect url at all?
I don't remember exactly why I did it this way, but I think I chose to keep query parameters because the OAuth spec allows it and I didn't want be overly prescriptive. One possible use is to capture information about the origin page when redirecting someone to authenticate so that you can send them back to the right place after the auth flow is complete.
Removing session_state looks good though, as it's an optional parameter in the spec that I missed.
|
Looks like this managed to cause a panic in Policy Bot somehow, so let me see if I can fix that and if not, I'll force merge this. |
AzureAD sends code, state, and session_state query parameters along with the redirect, which need to be scrubbed for this function to work with AzureAD oauth.