LG-7434: Allow cross origin for POST OIDC Logout #10697
Merged
Commits on May 29, 2024
-
LG-7434: Allow cross origin for POST OIDC Logout
**Why**: - It is expected that requests will be made by relying parties on external domains - The specification for OpenID Connect RP-Initiated Logout 1.0 requires both HTTP `GET` and `POST` methods to be supported. See: https://openid.net/specs/openid-connect-rpinitiated-1_0.html#RPLogout - Data sent using the `POST` method remains encrypted during transport in the browser and in web application logs, preventing leakage of sensitive information **How**: - The same endpoint shall be used, `/openid_connect/logout`, but the request data must be sent as part of the body and use form serialization as required for HTTP `POST` requests (RFC 9110, sec. 9.3.3). - Disables Rail's CSRF token verification for the POST route only resolves https://gitlab.login.gov/lg-people/lg-people-appdev/protocols/openid-connect/-/issues/3 changelog: Bug Fixes, Security, Fix CORS stopping POST for OIDC RP-Initiated Logout 1.0
-
-
-
PR!10697 feedback: redirect from POST to GET to prevent browser ERR_C…
…ACHE_MISS on navigation
-
-
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.