GitLab

Hello,

as far as I understand, it would be good for CASv3, if the redirect can be done with POST, because of javascript cross site scripting danger in the client.

(It would be also good for OIDC implicit flow, but there is the alternative of the code flow.)

What I tried (for CAS), both did not work:

• added a method parameter with POST in the CAS URL as documented in the CASv3 specification ( https://apereo.github.io/cas/5.0.x/protocol/CAS-Protocol-Specification.html#211-parameters )
• set in lemonldap manager: redirectFormMethod = "POST"

But maybe it is also a bug (version 2.0.7)?

In the autoRedirect method it seems it will always be a GET request in the end: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/3b1b1b1997b4c7967cc452194aa92f77c512d0a8/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Run.pm#L352

By manually setting $req->data->{redirectFormMethod} = "post" it was possible to do the redirecting with POST.

Maybe I also have overlooked something...

Greetings Andreas Deschka