Hi,
I am looking at using GitHub - taigaio/taiga-contrib-oidc-auth: OIDC plugin for taiga authentication
I notice that when I login via OIDC, my browser is taken to a URL like this:
/login%3Fid=8&username=exampleuser&full_name=&full_name_display=exampleuser&color=%252306f5ad&bio=&lang=&theme=&timezone=&is_active=True&photo=None&big_photo=None&gravatar_id=82482475-bd73-47dd-917d-5886f5b419c2&roles=%253CQuerySet+%255B%255D%253E&total_private_projects=0&total_public_projects=0&email=example%2540example.com&uuid=2a19f4fa-a93a-4593-b9ae-56951f9f8fea&date_joined=2025-01-09+04%253A34%253A47.819081%252B00%253A00&read_new_terms=False&accepted_terms=True&max_private_projects=None&max_public_projects=None&max_memberships_private_projects=None&max_memberships_public_projects=None&verified_email=True&refresh=xxxxxxxxxxxxxx.xxxxxxxxxxxxxx&auth_token=xxxxxxxxxxxxxx.xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.9xxxxxxxxxxxxx&type=oidc&next=%252Fdiscover
I notice that if I take this same URL and paste it into another browser, I am automatically logged in (I didn’t need to go via OIDC, I guess because the auth token / refresh token are valid)
I don’t like this too much, because a malicious browser extension could track the URL in my browser’s address bar and gain access. I guess you could say the same about cookie theft but I feel that the URL containing all the necessary auth data is worse (it also is likely to end up in web traffic logs on the server).
I think this is happening here: taiga-contrib-oidc-auth/back/taiga_contrib_oidc_auth/views.py at master · taigaio/taiga-contrib-oidc-auth · GitHub
Is there any way to make it not send those parameters in the URL? Can I not get taiga-back to establish the session/token after exchanging the code and obtaining the userData (which it is doing successfully) ? As far as I can tell, the Github and Gitlab plugins don’t do this, but the generic OIDC plugin code says ‘$auth.login() is too Github specific’ and I don’t know what this means…