[Openid-specs-ab] Issue #1713: Allow redirect back when using direct_post on a same-device flow (openid/connect)
josephheenan
issues-reply at bitbucket.org
Thu Nov 3 12:00:36 UTC 2022
New issue 1713: Allow redirect back when using direct_post on a same-device flow
https://bitbucket.org/openid/connect/issues/1713/allow-redirect-back-when-using-direct_post
Joseph Heenan:
As per discussion under [https://bitbucket.org/openid/connect/pull-requests/327/clarified-the-definition-of-response-mode#comment-340334880](https://bitbucket.org/openid/connect/pull-requests/327/clarified-the-definition-of-response-mode#comment-340334880) it was noted that direct\_post has use cases where it may be needed or desirable to use it in a same-device flow \(e.g. if the response too large or sensitive to go in a url, but the wallet is an app that can’t provide a token endpoint\)..
In that situation, to have a good user experience \(may also be security benefits, not sure?\), it would still be desirable to be able to redirect back to the original app/website, but there’s no defined way to do that.
I think it might need:
1. a request parameter to say whether or not a redirect is desired \(as it’s probably not helpful to redirect if it’s a cross device flow\)
2. a definition of the redirect uri parameters \(maybe just state, but it might need something to say ‘you should have received the result by direct post’ and presumably an alternative of an error parameter for an unsuccessful flow, e.g. if the direct post failed?\)
More information about the Openid-specs-ab
mailing list