OIDC provider doesn't work when info is displayed during the login process
Concerned version
Version: 2.0.7
Summary
- Configure OIDC service
- Add an OIDC RP
- Enable singleSession
- login as dwho
- clear cookies so that the session is still active on the LLNG side
- browse to your RP
- fill the login form
- an "info" form is displayed as the previous dwho session is erased
- you are redirected to the OIDC callback with arguments from the OIDC authorize endpoint
Logs
This is the info form:
<form id="form" action="http://rp.example.com/oauth2callback?code=53ba4eb7ed624bc0460e472cc8b75edcd50d4d95733bf2714dc42ad8217b1030&state=zZgCySbiBVYTzcGD1PS4UHlOvZc&session_state=dGQQkqPArcDn5GfH%2F%2FF8JXxDwbbvoFylK83sLMFnmkY%3D.YkMyR1kzZk1oNVdFRm8rZGRUYzc2dzBrTWdydm1xLzF3SzVZR2ZXd0dmVDFNQWFPZjlBOE92K0RzZ2tNTFkrK3pFdGNIanJpRDBHWTNRL0ZMcGwzMUE9PQ" method="get" class="info" role="form">
<input type="hidden" name="scope" value="openid email profile"><input type="hidden" name="response_type" value="code"><input type="hidden" name="redirect_uri" value="http://rp.example.com/oauth2callback"><input type="hidden" name="client_id" value="test"><input type="hidden" name="nonce" value="GPIXu7LrxGMKXrnB_jBC3ehp4ho8Eour-Axf3GHo5Vo"><input type="hidden" name="state" value="zZgCySbiBVYTzcGD1PS4UHlOvZc">
In other words, the action
field is correct, but the form's input
are copied from the HTTP request.
Which means that we are actually redirected to http://rp.example.com/oauth2callback?scope=openid+email+profile&response_type=code&redirect_uri=http%3A%2F%2Flemonorange-rp.lxd%2Fsecret%2Foauth2callback&client_id=test&nonce=GPIXu7LrxGMKXrnB_jBC3ehp4ho8Eour-Axf3GHo5Vo&state=zZgCySbiBVYTzcGD1PS4UHlOvZc&lmAuth=Demo&skin=bootstrap