Skip to content

feat(#479): set returnUrl in requests #499

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
elinohlsson merged 9 commits into from
Sep 5, 2025
Merged

feat(#479): set returnUrl in requests #499

elinohlsson merged 9 commits into from
Sep 5, 2025

Conversation

@Zonnex
Copy link
Contributor

@Zonnex Zonnex commented Mar 26, 2025

This PR fixes first part of #479, to assign the returnUrl for the AuthRequest/SignRequest we send to BankId. This URL takes precedence over the returnUrl given in the AutoStart functionality.

@Zonnex Zonnex requested a review from elinohlsson March 28, 2025 10:30
elinohlsson
elinohlsson approved these changes Mar 28, 2025
View reviewed changes
Copy link
Contributor

@elinohlsson elinohlsson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good!

@Zonnex Zonnex force-pushed the feature/479-returnUrl branch from 58bde17 to 21d461b Compare April 9, 2025 08:22
Elin Fokine added 7 commits August 29, 2025 11:32
merge from main
34db1cf
Set return url for payments.
cb110e6
Merge branch 'main' into feature/479-returnUrl
f5a4642
Use existing logic in active login to provide the correct return url …
993fe86 
…depending on device, os, etc. This logic is currently used when setting the return url as part of the auto launch url and should be applied when sending the return url to bankid as part of the auth, sign or payment request as well.
Improved comments. Use obsolete constructor to encorage using the new…
11f0cd1 
… constructor with the return url.
Updated comment for returnurl in bankid request.
7ab7d1d
Use new constructor for BankIdLaunchInfo.
50c7226
@elinohlsson elinohlsson requested a review from Liteolika August 29, 2025 14:48
@elinohlsson elinohlsson self-assigned this Aug 29, 2025
@elinohlsson elinohlsson added this to the Next release milestone Aug 29, 2025
Liteolika
Liteolika approved these changes Sep 3, 2025
View reviewed changes
Copy link
Contributor

@Liteolika Liteolika left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The security of the returnUrl feature relies entirely on correct implementation by library users. The potential main risk is improper validation of returnUrl and nonce by downstream developers which may expose open redirect or replay vulnerabilities.

A automated safeguard and/or validation of the returnUrl could be a future feature.

@elinohlsson
Copy link
Contributor

elinohlsson commented Sep 5, 2025

@Liteolika You're correct that this is a potential concern. In many scenarios (depending on device and OS), Active Login deliberately clears the returnUrl and replaces it with an empty string. This is required for the flow to work: the BankID app closes, and the user returns to the application in the background. Because of this behavior, having Active Login attach a nonce to the returnUrl isn’t straightforward.

That said, I agree this is an area worth revisiting, and we should explore potential improvements in the future.

@elinohlsson elinohlsson merged commit 500e521 into main Sep 5, 2025
18 checks passed
@elinohlsson elinohlsson deleted the feature/479-returnUrl branch September 5, 2025 08:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Liteolika Liteolika Liteolika approved these changes

@elinohlsson elinohlsson elinohlsson approved these changes

Assignees

@elinohlsson elinohlsson

Labels

None yet

Projects

None yet

Milestone

11.1.0

Development

Successfully merging this pull request may close these issues.

4 participants

@Zonnex @elinohlsson @Liteolika