solid-client-authn-js icon indicating copy to clipboard operation
solid-client-authn-js copied to clipboard
verified publisher icon inrupt

Add state parameter to login

Open gibsonf1 opened this issue 4 years ago • 3 comments

In order to send information to the IdP during login, for example to start with registration page rather than login page, enable sending a state parameter per spec https://tools.ietf.org/html/rfc6749#section-4.1.1

In the mean time, TrinPod will be looking at the query string of the redirect uri given on login, and when start=registration is seen, the user will be sent directly to registration instead of the login page

gibsonf1 avatar Jan 14 '21 22:01 gibsonf1

Hiya Fred - yeah, that's a good suggestion, and should be pretty easy to add, as the underlying libraries we use (in our browser and Node code both allow us to do that). I'll create an internal ticket on our side, but it'll just go into our backlog, so I've no idea when we'd get around to implementing it. As a pointer for anyone else looking to get to this before we do (at least in the browser-specific code) I think it's just a matter of updating the IOidcOptions interface to take your 'custom state', and then passes it into the oidcClientLibrary.createSigninRequest() method here: https://github.com/inrupt/solid-client-authn-js/blob/3542e3eea9c5c1f9bbc8216aa4a725bf285afb7f/packages/browser/src/login/oidc/oidcHandlers/AuthorizationCodeWithPkceOidcHandler.ts#L88. Something like that I suspect, anyways...

Thanks again for the issue!

pmcb55 avatar Jan 15 '21 10:01 pmcb55

It looks like the state parameter is specific to the OAuth 2.0 spec, but it's not clear to me more generally how URL parameters can be passed through the login to the app?

In a PWA app used as a share target in Android, content is typically passed in URL parameters, which then need to survive the login phase (especially if login does not survive refresh #423) It doesn't appear that Solid can be used in a PWA share target at the moment.

More generally, I would have thought it would be useful to be able to use hash tag links and URL parameters for deep-linking into Solid apps, but this doesn't seem to be possible at the moment?

Edit: Sorry, just realised hashes and URL params are of course included in the redirect url

josephguillaume avatar Jan 31 '21 04:01 josephguillaume

Now that authenticating client applications is a thing, I've got another use case. Currently, in my app, a user can log in from any page, and the redirect URL will just be set to that page.

However, if I were to add a client WebID, I'd have to specify redirect URLs in advance. Since the page URL is dependent on the user's Pod, there's an infinite number of potential page sources which cannot be known in advance.

Thus, one way to deal with this could be to be able to pass the source URL as a state parameter, so it could be restored after the user is returned back to the app.

Vinnl avatar Apr 25 '21 09:04 Vinnl