feat(schemas): add idp-initiated SSO client side callback url columns #6675
+48
−2
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Alternate the
sso_connector_idp_initiated_auth_configs
to support directly redirecting the user to the client app to initiate a standard OIDC authorization request.Context
For better security and to support SPA applications, instead of automatically sending the OIDC authorization requests from the server side, we provide a more recommended option, redirect the user to the client side to initiate an OIDC authentication flow.
Since the IdP-initiated SAML SSO authentication request is unsolicited, thus sending an OIDC authorization request directly from the server side can not provide the necessary CRSF attack protection.
E.g. the
state
parameter andPKCE
flow for SPA application.As a better recommendation, by default, we redirect the user to a given client callback URL to initiate a standard OIDC auth flow, while keeping a live IdP-initiated SSO assertion session, so the user can be automatically authenticated via the same SSO connector.
Option A (Default):
auto_send_authorization_request
set to false.field
client_idp_initiated_auth_callback_uri` in the config.Option B (Previously implemented):
auto_send_authorization_request
set to true.redirect_uri
and otherauth_parameters
Updates
auto_send_authorization_request
. Default false. When disabled, Logto will redirect the user to the client side to trigger an auth request.client_idp_initiated_auth_callback_uri
. Exclusively stores the client side idp-initiated auth callback URL.SPA
application type.Testing
Checklist
.changeset