Taiga and OIDC plugin

Hi,

I am looking at using GitHub - taigaio/taiga-contrib-oidc-auth: OIDC plugin for taiga authentication

I notice that when I login via OIDC, my browser is taken to a URL like this:

/login%3Fid=8&username=exampleuser&full_name=&full_name_display=exampleuser&color=%252306f5ad&bio=&lang=&theme=&timezone=&is_active=True&photo=None&big_photo=None&gravatar_id=82482475-bd73-47dd-917d-5886f5b419c2&roles=%253CQuerySet+%255B%255D%253E&total_private_projects=0&total_public_projects=0&email=example%2540example.com&uuid=2a19f4fa-a93a-4593-b9ae-56951f9f8fea&date_joined=2025-01-09+04%253A34%253A47.819081%252B00%253A00&read_new_terms=False&accepted_terms=True&max_private_projects=None&max_public_projects=None&max_memberships_private_projects=None&max_memberships_public_projects=None&verified_email=True&refresh=xxxxxxxxxxxxxx.xxxxxxxxxxxxxx&auth_token=xxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.9xxxxxxxxxxxxx&type=oidc&next=%252Fdiscover

I notice that if I take this same URL and paste it into another browser, I am automatically logged in (I didn’t need to go via OIDC, I guess because the auth token / refresh token are valid)

I don’t like this too much, because a malicious browser extension could track the URL in my browser’s address bar and gain access. I guess you could say the same about cookie theft but I feel that the URL containing all the necessary auth data is worse (it also is likely to end up in web traffic logs on the server).

I think this is happening here: taiga-contrib-oidc-auth/back/taiga_contrib_oidc_auth/views.py at master · taigaio/taiga-contrib-oidc-auth · GitHub

Is there any way to make it not send those parameters in the URL? Can I not get taiga-back to establish the session/token after exchanging the code and obtaining the userData (which it is doing successfully) ? As far as I can tell, the Github and Gitlab plugins don’t do this, but the generic OIDC plugin code says ‘$auth.login() is too Github specific’ and I don’t know what this means…

Hi there!

We have already answered on our ticketing system, but I’ll write here as well just in case.

That plugin has not seen development in quite some time and is not in use on our SaaS nor anything, but will take a look when possible and let you know.

Thanks for reaching out with this issue,

Best regards!

1 Like