simplesamlphp-module-oidc icon indicating copy to clipboard operation
simplesamlphp-module-oidc copied to clipboard

Published 20 hours ago verified publisher icon simplesamlphp

OIDC support for SimpleSamlPhp consent

Open zoghlamikaiseruqam opened this issue 2 years ago • 6 comments

Hi, We are using OIDC v2.1.2 and we are deploying the consent module offered by SSP 1.19. I was wondering if the consent module is supported by the OIDC flows in this module? Regards, Kaiser.

zoghlamikaiseruqam avatar Nov 30 '23 16:11 zoghlamikaiseruqam

Hi @zoghlamikaiseruqam

I believe the consent module interacts with a user, and user interaction is not support when running authproc filters from OIDC. There may be additional assumptions made in the consent module about it running in a SAML authentication context, but the main blocker for use is the user interaction portion.

pradtke avatar Nov 30 '23 16:11 pradtke

Hi @pradtke Thank you for your quick answer. Yes unfortunately, it seems that the user interaction portion is not supported when running authproc filters from OIDC. It's a kind of deal breaker since regulation policies are now asking identity providers to have user consent before transferring any user data to 3rd party SPs. By any chance, would you have any ideas on how to work around this issue and if this ticket could be added in SSP backlogs for a near release? Thank you!

zoghlamikaiseruqam avatar Nov 30 '23 17:11 zoghlamikaiseruqam

I think that if this module would re-use SSP's ProcessingChain instead of executing the filters directly, it should be able to work with filters that do user interaction

tvdijen avatar Nov 30 '23 18:11 tvdijen

@tvdijen That's also what I am thinking. I have similar ticket to test out the ProcessingChain for the authoauth2 module.

@zoghlamikaiseruqam When I say the user interaction is not supported, the issue is really that the OIDC module would not resume processing the list of authprocs at the next filter, I think it would start at the beginning. This may okay in your case - if the user saves their choice then if the consent module reran it would see the saved choice and not interact with the user on the second run of the filters. However I'm not that familiar with the consent module.

As for timing for a real fix, I'm not sure. I think there would need to be some experimentation with ProcessingChain (like @tvdijen suggested) and see if it works or if it has assumption about what $state data is set in a SAML context.

pradtke avatar Nov 30 '23 23:11 pradtke

Related to #179

cicnavi avatar Dec 01 '23 11:12 cicnavi

Should be part of the next major release. Functionality merged in #228

pradtke avatar Jul 11 '24 23:07 pradtke