https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42719
--- Comment #10 from David Cook <[email protected]> --- (In reply to David Cook from comment #9) > If we look at OIDC, it does outline some information about "Initiating Login > from a Third Party": > > https://openid.net/specs/openid-connect-core-1_0. > html#ThirdPartyInitiatedLogin > > Okta itself refers you to the OIDC docs: > https://help.okta.com/en-us/content/topics/apps/ > apps_app_integration_wizard_oidc.htm > > It looks like X-FRAME-OPTIONS is what blocks the iframe clickjacking in > modern browsers... > > And my testing for putting it into something like an <img> actually only > failed because of using localhost for testing... > > For Okta, wouldn't it make sense to create a "initiate_login_uri" that takes > the "iss" parameter, checks it against the Koha database, and then prompts > the user saying "Issuer <iss> is initiating login. Would you like to > proceed?" and then go off that? I think that this is the way to go. That way, you provide a workable option using third-party initiated login according to spec, plus you're defeating login CSRF. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
