grist-core icon indicating copy to clipboard operation
grist-core copied to clipboard

Published 20 hours ago verified publisher icon gristlabs

Support nonce and acr with OIDC + Tests

Open fflorent opened this issue 11 months ago • 9 comments

Context

  • Some Identity provider don't support PKCE and instead impose Nonce;
  • They also may impose passing some ACR values;
  • And require to pass the state and the idToken in the logout

Proposed solution

  • Introduce the GRIST_OIDC_IDP_ENABLED_PROTECTIONS variable who can contain comma-separated values with either: STATE, NONCE and PKCE, and defaults to STATE,PKCE;
  • Introduce the GRIST_OIDC_IDP_ACR_VALUES variable with space separated values;
  • Once logged in (after the callback), store the state and the idToken for the logout, and clear any other values;
  • Introduce unit tests with mocks;
  • Also redirect to the error page when something went wrong while signing in;

fflorent avatar Mar 06 '24 10:03 fflorent