adb014 commented on PR #1198:
URL:
https://github.com/apache/guacamole-client/pull/1198#issuecomment-4222611734
Ok, I've treated all of your comments. Thinking about it, I still have one
issue. Guacamole displays the data returned by keycloak in the navigation bar,
including the "code" field for code flow... If the user refreshs the page, as
they often do if there is a problem, authenticateUser will be called again with
the stale code and this will be posted to the identity provider. The identity
provider detects this as a code "reuse" and probably an attack. This is bad
An idea would be in authenticateUser we do a redirect to the guacamole root
instead of returning authenticateUser. Though this currently breaks things. The
only other choice I see is the use of code like
```javascript
(function guacOpenIDTransformToken() {
if (window.history && history.replaceState)
history.replaceState(null, "", window.location.pathname +
window.location.hash);
if (/^#(?![?\/])(.*&)?id_token=/.test(location.hash))
location.hash = '/?' + location.hash.substring(1);
})();
```
client side in transformToken.js to hide the non URL fragment query
parameters returned by the identity provider from the user.. Still needs
testing, so I'll submit another patch soon
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
