Currently we use 'sessionDataKey' query parameter in many different places to correlate an http redirect (or POST with auto-submit) request sent out from the Identity Server and response coming back from the external party (login page/consent page/external IDP/etc.) to the Identity Server.
Shall we look at supporting cookies in addition to query parameters? The main reason I think why we need to support cookies for this is because, in some use cases there are existing applications with login pages which we can't touch at all. In those cases we can extend the authenticators to support the authentication protocol specific parameters. E.g. username, password, otp, etc. But 'sessionDataKey' is not an authentication protocol specific parameter and is not handled by authenticators, but the authentication framework. This makes it impossible to support such a use case without touching the existing login pages. Even the action attribute of the form can be left unchanged and we can update the LB rule to point the old DNS name of the application to IS. Also it makes it lot easier for us to explain customization to users. We don't need to explain what "sessionDataKey" parameter is, why its used, etc. Its all taken care by IS. On the other hand why we need to keep supporting query parameters is, 1. With non-browser clients, cookies may not work. 2. Another limitation with cookies is that, with query parameters we can actually send out multiple requests to 3rd parties, e.g. login pages, IDPs, etc. in parallel from the same browser, and track them individually using sessionDataKey query parameter. But with cookies we can have only one cookie under one name in the browser so we can't send out parallel request to 3rd parties. We still can overcome this by using a convention in the cookie names like "SessionDataKey.1", "SessionDataKey.2", and so on. When the response comes back we can check for the values in all the SessionDataKey cookies. I think its worth doing it. What do you think? -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
