openid-connect-generic icon indicating copy to clipboard operation
openid-connect-generic copied to clipboard

Published 20 hours ago verified publisher icon oidc-wp

Choose token authentication endpoint conditionally

Open felipemcg opened this issue 2 years ago • 2 comments

Greetings,

I'm using this plugin with Azure Active Directory AD B2C with custom policies.

I've 2 user flows:

  1. Regular signup/signin
  2. Signup following an invitation flow

I'm trying to change the the token authentication endpoint conditionally in the following way:

  • If the user has used the regular signup flow, it should try to obtain the authentication token from the endpoint https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_SIGNUP_SIGNIN/oauth2/v2.0/token
  • If the user has used the invitation signup flow, it should use https://tenant.b2clogin.com/tenant.onmicrosoft.com/B2C_1A_SIGNUP_INVITE/oauth2/v2.0/token

What I've tried so far: I've used the "openid-connect-generic-alter-request" filter to alter the request but with the information provided by the filter (request) i can't know which flow the user has followed in the first place. I've also tried using the filter "openid-connect-generic-auth-url" to set a transient with the user flow used inside but there isn't a way to unequivocally retrieve it in the "openid-connect-generic-alter-request" filter.

felipemcg avatar Dec 10 '22 14:12 felipemcg

As described in get an authorization code the "state" parameter is intended for this type of scenario.

A value included in the request that can be a string of any content that you want to use. Usually, a randomly generated unique value is used, to prevent cross-site request forgery attacks. The state also is used to encode information about the user's state in the app before the authentication request occurred. For example, the page the user was on, or the user flow that was being executed.

Is there a way to append information to this state and also retrieve it again when the authentication callback starts?

felipemcg avatar Dec 14 '22 08:12 felipemcg

@felipemcg so currently the state is used to create a transient that stores the state and the original URL to both verify the state upon return from the IDP and send the user back to where they started. We should be able to add a hook used during the state transient creation in order to support additional meta data and then we in other hooks you should be able to use the state the retrieve that transient. I may consider doing something a bit more silo'd such that the state transient would have a dedicated attribute that would be written into and then pass the attribute contents through to other methods after state verification has passed.

timnolte avatar Dec 16 '22 01:12 timnolte