This repository was archived by the owner on Jun 23, 2023. It is now read-only.
This repository was archived by the owner on Jun 23, 2023. It is now read-only.
Cookies or not Cookies, this is the question #86
Description
Actually views.do_reponse (flask_op or django-oidc-op) handles the cookie and if I'd like to not use it, when my user-agent call the session endpoint for logging out, I got instead an error.
that's the call to session endpoint
https://127.0.0.1:8000/oidcop/session?id_token_hint=eyJhbGciOiJSUzI1NiIsImtpZCI6IlNWbzNWRWxXU2xCRmVqRnBSVzFaU2trNWNuVmhVa2wyY0doU2EzYzVSMFZ4WVY5ZldYTlpkRkY1UlEifQ.eyJzdWIiOiAiYTdiMGRlYTI5NThhZWMyNzVhNzg5ZDdkN2RjOGU3ZDA5YzYzMTZkZDRmYzZhZTkyNzQyZWQzMjk3ZTE0ZGRlZCIsICJhdXRoX3RpbWUiOiAxNjIyNzM2NjQ2LCAiYWNyIjogInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOkludGVybmV0UHJvdG9jb2xQYXNzd29yZCIsICJub25jZSI6ICJnTlBlS0VlZW1IMjN0eFVGNE5xVGNLNmoiLCAiaXNzIjogImh0dHBzOi8vMTI3LjAuMC4xOjgwMDAiLCAiaWF0IjogMTYyMjczNjY1MCwgImV4cCI6IDE2MjI3MzY5NTAsICJhdWQiOiBbIlJfWjVGVjY5c2lzcXYtWUpIV1V1N1EiXX0.p6H1G9w_RGxiJzyZVxOOR8hTJRUGBxi5iAsUcdvkVcJCVhngXzLE0Bg3YCmpTX2dwBecmyxmlD7wdCa-_y-DaB64cXHvL0Jt40LKxXlQCvGkP5_SSxtb90BaAmJvWvCjvr5qYQxnnp23_bfkqnUCuLTUigUgYKGLvDpfWo_IQGja_h7QLL8AaX0Jm5KmGVhvFGHWuFgcW-72uagbKUQACus7s64AgQ2OmwylGIUaPMQpgT-U063h_L_jp3UDhSIG9ZuoQUkw0_KE1AnQlWDNYflA5fmmKEOs_1XpI59pD9gfF9NXngSXm9hXrTnMm6_2jFj-TWSRs-LiqIDpFJTqfA&post_logout_redirect_uri=https%3A%2F%2F127.0.0.1%3A8090%2Fsession_logout%2Fdjango_provider&state=QrerCGcnVGzdrs32X1NgBUXjDZYEb16b
that's the response, an error:
"{\"error\": \"invalid_request\", \"error_description\": \"Missing cookie\", \"method\": \"GET\"}"
I can adopt a workaround in django BUT I'm wondering if we could disable entirely the cookies in oidc-op, as an option.
For example, if cookie_handler is not configured, well, oidc-op won't issue anymore cookies.
what do you think about that?
Not at least, the current implementation doesn't handle same site and same party
