Skip to main content

Hi,

I’m evaluating the use of the OpenId option for user authentication in a non-thinkwise app, so that the users can use the same credentials in both the thinkwise app and the non- thinkwise app. I’ve configured the application in the OpenId section of IAM, setup the correct redirects in the client application.

When the user connects to the website, the user is redirected to the login of the indicium application.

After login the user should be redirected to the original application. However, we are not redirected. We stay on the /connect/authorize/callback?client_id= page of indicium.

I suspect that this is related due to the CSP settings on this page. Possible related to the mismatch in the content-security-policy and x-content-security-policy headers.

This happens in Firefox/Chrome and Edge.

However, when I disable the CSP check in the browser, the redirect works, and the user is redirected successfully to the original webapp.

This is tested against the 2021.1.17 version of indicium.

I’ve got the feeling that I’m missing some configuration to make this work.  Who has the missing piece of configuration?

 

Kind regards,

Edwin

Hello Edwin,

I suspect that you are adding the querystring parameter response_mode=form_post to the /connect/authorize request, is that correct?

It looks like Indicium doesn’t return the correct Content-Security-Policy header for this response mode, which wasn’t noticed before because the default is response_mode=query. We will look into fixing this issue in one of our upcoming releases. Meanwhile, is there a reason for you to not use the default response_mode? Your issue would be fixed by removing that querystring parameter.

I hope this helps.

Hi Vincent,

using response_mode=query is the missing link. The lib i’m using defaults to the form_post response type. After adding the correct configuration, the redirect works without an issue.

 

for anyone with the same problem in .net using the Microsoft.AspNetCore.Authentication.OpenIdConnect .net package. Add the following line to the openIdconfiguration:
 


Kind regards

Edwin

Reply


Terms & ConditionsCookie settings