Support for concurrent authentication (multiple states and origins) #103
Conversation
pierre-pretorius
changed the title
pierre-pretorius
changed the title
1 similar comment
2 similar comments
|
This is related to #95 and also seems like a duplicate of #88 and #75. Anyway, a lot of people seem interested in a fix for these issues.
|
|
This will fix a lot of issues related to the is it anything I can do to get it merged @tmilewski ? |
|
I'll have to take a look through all of this later. That said, any help would be greatly appreciated! At first glance, the big things, at this point, would be adding specs and getting it to pass CI. |
|
Just wanted to drop a quick note that we are seeing exactly the issue described in the PR. We use a single oauth provider for authentication and do indeed trigger authentication right away. When two or more tabs are going through authentication at the same time, Any chances to get this patch finalized? |
Consider a scenario where you only allow your users to authenticate against a single oauth2 provider such as Google. With this scenario it's common not to have a login page and just immediately attempt authentication against the oauth2 provider. If the user starts up his browser and restores multiple tabs of your application, all these tabs redirect to the provider login screen. If the user then signs in on each tab he gets a CSRF error on all except the last tab that opened on your application callback because this gem only allows one
stateparameter in the session. Furthermore it doesn't redirect back to the origin correctly because it only stores oneoriginas well. This pull request stores multiplestateparameters in the session and anoriginfor each of thestates.