Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

The authentication response should also be able to return session_state. #670

Open
2 tasks done
nannany opened this issue Oct 27, 2024 · 3 comments
Open
2 tasks done

Comments

@nannany
Copy link
Contributor

nannany commented Oct 27, 2024

Preflight Checklist

  • I could not find a solution in the existing issues, docs, nor discussions
  • I have joined the ZITADEL chat

Describe your problem

The authentication response in the authorization code grant is controlled in the following section. If we incorporate the OIDC session management specifications, it will be necessary to include session_state in the authentication response. I want to enable handling of session_state.


https://github.com/zitadel/oidc/blob/main/pkg/op/auth_request.go#L482-L488

	codeResponse := struct {
		Code  string `schema:"code"`
		State string `schema:"state,omitempty"`
	}{
		Code:  code,
		State: authReq.GetState(),
	}

Describe your ideal solution

To allow session_state to be passed in the authentication request, I will modify the codeResponse interface to accept session information as an argument.

Version

No response

Environment

Self-hosted

Additional Context

No response

@muhlemmer
Copy link
Collaborator

We have nothing against adding it to the response object. Just curious, how do you plan to get / store the session state in the fitst place?

@muhlemmer muhlemmer moved this from 🧐 Investigating to 📋 Sprint Backlog in Product Management Oct 30, 2024
@muhlemmer muhlemmer moved this from 📋 Sprint Backlog to 📨 Product Backlog in Product Management Oct 30, 2024
@nannany
Copy link
Contributor Author

nannany commented Oct 30, 2024

I understand the question as asking how session_state is initially stored and subsequently retrieved by the OpenID Provider.

Regarding storage, since session_state is a value associated with the session established between the OpenID Provider and the browser, I assume it would be created in the database or memory when the session is created. This likely depends on the specific implementation, so it may not necessarily be related to zitadel/oidc.

For retrieving session_state in AuthResponseCode, I believe it would be effective to create an interface within Storage or a similar structure specifically for obtaining session_state.

@muhlemmer
Copy link
Collaborator

Yeah, that sounds reasonable. Just as long as you are aware you need to touch the Storage or AuthRequest interface or probably need an optional interface to prevent breaking changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: 📨 Product Backlog
Development

No branches or pull requests

3 participants