https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42719 --- Comment #10 from David Cook <dcook@prosentient.com.au> --- (In reply to David Cook from comment #9)
If we look at OIDC, it does outline some information about "Initiating Login from a Third Party":
https://openid.net/specs/openid-connect-core-1_0. html#ThirdPartyInitiatedLogin
Okta itself refers you to the OIDC docs: https://help.okta.com/en-us/content/topics/apps/ apps_app_integration_wizard_oidc.htm
It looks like X-FRAME-OPTIONS is what blocks the iframe clickjacking in modern browsers...
And my testing for putting it into something like an <img> actually only failed because of using localhost for testing...
For Okta, wouldn't it make sense to create a "initiate_login_uri" that takes the "iss" parameter, checks it against the Koha database, and then prompts the user saying "Issuer <iss> is initiating login. Would you like to proceed?" and then go off that?
I think that this is the way to go. That way, you provide a workable option using third-party initiated login according to spec, plus you're defeating login CSRF. -- You are receiving this mail because: You are watching all bug changes.