WIP: TECH-676 Support cookieless session lookup, including logout #7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… allows sessions to be looked up from an id_token_hint query parameter, and interactions from the UID in path params, if session cookies are not found. A separate 'cookies.doNotSet' option will cause cookies not to be set at all. The former is used in iframe environments where browsers might not send cookies even if they are set. Also a add a 'bypassConsent' parameter to the rpInitiatedLogout feature, which will bypass asking the user for logout consent if true.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
cookies.enableCookielessFallbackconfig value, which causes sessions to be looked up from thejtiin a parsed ID token passed via query params or form body (id_token_hintfor the RP-initiated logout case).jtifield of the issued ID token so it can be picked up by the above lookup.cookies.doNotSetconfig value which will cause the library not to set any cookies at all. This can be used to avoid browser alerts about third-party cookies when running as an iframe.bypassConsentconfig flag for the rpInitiatedLogout feature, which makes the server not ask for logout consent, for cases where logout consent is managed in a separate UI.Corresponding civic-auth WIP PR here
TODO: