-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Passing parameters between the login and the callback functions #507
Comments
Also faced this problem with the same usecase.
I tried a lot of ways to find the workaround but found nothing. And finally, I found the moment when it possibility had been broken: #217 PS: |
I ultimately found a solution to this problem. I'm not sure it's pretty though. I'm kinda hijacking that at the moment: ...
// Add any data to the state, we can decode this data later in the auth callback.
// - add is_web (bool) to check if the client is a web browser
authState := AuthState{IsWeb: loginQuery.IsWeb, Rand: generateRandomState()}
q.Add("state", authState.ToStateString())
c.Request.URL.RawQuery = q.Encode()
logger.Debug("Starting auth flow")
url, err := gothic.GetAuthURL(c.Writer, c.Request)
if err != nil {
c.AbortWithError(http.StatusInternalServerError, err)
}
logger.Debug("Auth url generated, redirecting")
c.Redirect(http.StatusFound, url) This can be later decoded in the auth callback. From what I understand, the only thing to watch out for is that the state parameter is still random and unguessable, but technically it's possible to shove some custom data in there. I'd be happy to see a better solution though. Also, if the session approach can be fixed, I'd have one question: how does the session work in the case where my app is deployed on kubernetes with several replicas? Is the session stored in each replica? |
@JPFrancoia thank you for sharing your workaround, I also thought about it but decided to avoid it, because usually the state it's just a csrf token which is coming from the frontend side, and when we custom this, we can break a default behavior of the frameworks.. But anyway, I think your solution is totally legal(cos you include the random string in your state object too), cos Google, for example, says that the state parameter can be used for saving application custom data
I think, to cover these needs you should implement your own Store and directly set it this way:
and for sharing data between different PODs, your implementation should be based on not the default cookie store, but on the Redis key-value storage for example. |
Thanks for commenting!
In my case the state is entirely controlled by the backend, the frontend just triggers the flow but I get your point.
Yep, makes sense. Another pro for using the |
How do you know the state you get back is the state value you sent? |
I don't, but in my case I don't care. I'm just storing the |
I'm in a weird situation where when I call the auth_callback, I need to know how the auth flow was initiated:
Basically when I start the flow, I call
mysite.com/auth/provider_name?is_web=true
. I'm parsing theis_web
parameter in theLogin
function, and I'm then trying to store it in the gothic session.Then when
AuthCallback
is triggered, I'm trying to getis_web
back, but the call togothic.CompleteUserAuth
raises an error:you must select a provider
. I believe at this point the content of the session is overwritten? Does the call toStoreInSession
wipe out the relevant info?The text was updated successfully, but these errors were encountered: