Calling Developers!
We are reenergizing our code contribution process! Learn More

What are the Slack Archives?

It’s a history of our time together in the Slack Community! There’s a ton of knowledge in here, so feel free to search through the archives for a possible answer to your question.

Because this space is not active, you won’t be able to create a new post or comment here. If you have a question or want to start a discussion about something, head over to our categories and pick one to post in! You can always refer back to a post from Slack Archives if needed; just copy the link to use it as a reference..

Hello, we are currently implementing a login flow for keycloak OpenID (external login server). For t

Options
UPWG9AYH2
UPWG9AYH2 Posts: 509 🧑🏻‍🚀 - Cadet
edited July 2021 in Help

Hello,
we are currently implementing a login flow for keycloak OpenID (external login server). For that we wrote also a client from yves frontend to spryker backend. This client should provide
a) a login link where the customer gets redirected to
b) the resource owner by the provided auth code (from redirect from keycloak login)

Both involving a state parameter which must finally match again when retrieving the resource owner. I compared the sprykers oauth azure module and they save that state param into the current session using the session client which is totally fine in that case (because everything happens in the same session).

However, when using the client layer to connect yves, both methods does not share the same session which is a problem to compare generated state param and the state param that was returned from the login server.

My two approaches would be now:
• save the state into redis instead or
• save the state into an own table in the database
Saving the param to Redis (and remove it after the param/auth code was validated) seems to be the easiest solution to me.

But honestly I don’t know about security concerns when saving the state param into redis or somewhere else.
So, is this the way to go? Somebody did something similar?Any suggestions or other approaches?

Best

Comments

  • UPWG9AYH2
    UPWG9AYH2 Posts: 509 🧑🏻‍🚀 - Cadet
    Options

    I think the core question is: Is sprykers storage aka redis intended to store security relevant information since its (afaik) intended to be more or less the cache for the frontend … so public frontend infos vs security relevant infos … databases might be also a solution but as i said … feels a bit over engineered for a simple string that is persisted only temporarly