Allow sdk redirect on settings actions #3827
Conversation
IniZio
force-pushed
the
3813-settings-action-redirect
branch
3 times, most recently
from
2cc5ce1 to
aa81537
Compare
IniZio
force-pushed
the
3813-settings-action-redirect
branch
4 times, most recently
from
db703db to
0bf3a3b
Compare
|
@tung2744 @louischan-oursky Updated to reflect latest settings action spec, still adding test cases for new response type and grant type 🙏 |
IniZio
force-pushed
the
3813-settings-action-redirect
branch
5 times, most recently
from
84afb58 to
a55babf
Compare
IniZio
changed the title
IniZio
force-pushed
the
3813-settings-action-redirect
branch
from
a55babf to
7dbc9fe
Compare
IniZio
changed the title
IniZio
force-pushed
the
3813-settings-action-redirect
branch
2 times, most recently
from
efb78ef to
8a6c22a
Compare
IniZio
force-pushed
the
3813-settings-action-redirect
branch
4 times, most recently
from
cac1bb5 to
70da13b
Compare
IniZio
force-pushed
the
3813-settings-action-redirect
branch
4 times, most recently
from
211c791 to
28cefe1
Compare
|
Tried to create a stimulus controller that can override history items https://github.com/IniZio/authgear-server/tree/3813-settings-action-redirect-web The script itself works in other flows, but the consent page will block the In this pr, I inserted a |
IniZio
force-pushed
the
3813-settings-action-redirect
branch
from
6d3832f to
ba267df
Compare
|
After discussion, will make web behave similarly as other platforms. Will guard back-navigation only at consent screen instead. Other screens will still show expired error for now. Changes:
|
IniZio
force-pushed
the
3813-settings-action-redirect
branch
from
ba267df to
4e7b9b0
Compare
| // Do not set anything. | ||
| if redirectURI != consentURI { | ||
| return redirectURI | ||
| } |
There was a problem hiding this comment.
Why do we add this?
There was a problem hiding this comment.
It's in the original code, was removed in a temp commit for an old approach in this pr. New commit adds it back.
| &nodes.EdgeDoEnsureSession{ | ||
| Mode: nodes.EnsureSessionModeNoop, | ||
| }, | ||
| }, nil |
There was a problem hiding this comment.
Why do we need to add EdgeDoEnsureSession here?
There was a problem hiding this comment.
Currently it's possible to change password to same as previous value and still return as success. Or should it be treated as fail for settings action?
There was a problem hiding this comment.
I think it should be a success, but the developer could enable password history check, which should cause the flow to return api error. That should be handled by password policy already.
There was a problem hiding this comment.
Does this work? EdgeDoEnsureSession should be irrelevant here.
case *nodes.NodeChangePasswordEnd:
// Password was not changed
return []interaction.Edge{&nodes.EdgeSettingsActionEnd{}}, nil
case *nodes.NodeDoUpdateAuthenticator:
return []interaction.Edge{&nodes.EdgeSettingsActionEnd{}}, nil
case *nodes.NodeSettingsActionEnd:
// Intent is finished.
return nil, nil
There was a problem hiding this comment.
Should still need, similar to IntentReauthenticate. Tried removing it results in invalid authentication required
| @@ -398,7 +428,7 @@ func (h *AuthorizationHandler) doHandle( | |||
| // Handle prompt!=none | |||
| // We must return here. | |||
| if !slice.ContainsString(uiInfo.Prompt, "none") { | |||
| endpoint, err := h.UIURLBuilder.Build(client, r, oauthSessionEntry) | |||
| endpoint, err := h.UIURLBuilder.BuildAuthenticationURL(client, r, oauthSessionEntry) | |||
There was a problem hiding this comment.
We will remove parseAuthzRedirectURI, and in here, we will choose between BuildAuthenticationURL and BuildSettingsActionURL. In doing this, we preserve the original code flow, and let the reader to reason the code easier.
IniZio
changed the title
IniZio
force-pushed
the
3813-settings-action-redirect
branch
from
2fbd47d to
a82f704
Compare
IniZio
changed the title
| &nodes.EdgeDoEnsureSession{ | ||
| Mode: nodes.EnsureSessionModeNoop, | ||
| }, | ||
| }, nil |
There was a problem hiding this comment.
Does this work? EdgeDoEnsureSession should be irrelevant here.
case *nodes.NodeChangePasswordEnd:
// Password was not changed
return []interaction.Edge{&nodes.EdgeSettingsActionEnd{}}, nil
case *nodes.NodeDoUpdateAuthenticator:
return []interaction.Edge{&nodes.EdgeSettingsActionEnd{}}, nil
case *nodes.NodeSettingsActionEnd:
// Intent is finished.
return nil, nil
We now use implicitly whitelisted response types instead of client config
Return to user app if user visits expired oauth pages e.g. oauth consent. It mostly likely happens when users refresh on expired oauth page or go back after oauth flow has completed e.g. settings action.
louischan-oursky
force-pushed
the
3813-settings-action-redirect
branch
from
d1fe865 to
dadf4dd
Compare
ref #3813
Initially wanted to apply this derive function on all settings sub-pages. However it will be odd to, for example close the webview on remove an identity in
/settings/identitypage