devise_saml_authenticatable icon indicating copy to clipboard operation
devise_saml_authenticatable copied to clipboard

Published 20 hours ago verified publisher icon apokalipto

Sign_out request causes unsafe redirect error for Rails 7+

Open Taeir opened this issue 2 years ago • 1 comments
trafficstars

In Rails 7, a setting was changed/introduced for by default disallowing redirects to external locations, unless if allow_other_host: true is passed to the redirect_to call.

When the name identifier format is set to transient, devise_saml_authenticatable will redirect a user to do a SLO request at the IDP, which is an external host (in most cases). This is set as the after_sign_out_path_for for the user. However, the method that does the redirect (I believe Devise::SessionsController#respond_to_on_destroy) does not pass allow_other_host, so Rails 7 and up will raise an UnsafeRedirectError in this case.

Taeir avatar Jul 17 '23 14:07 Taeir

Great catch! It looks like https://github.com/heartcombo/devise/pull/5462 is looking into this in devise.

adamstegman avatar Aug 14 '23 20:08 adamstegman