Use HTTP verb in Service Provider request mapper

Fabien BERTEAU fabien.berteau at
Thu Oct 21 13:10:39 UTC 2021

This answer scares me because we already use OIDC but we realize that it is
not enough. Indeed, PKCE stores access tokens within the reach of
javascript and therefore of an XSS type attack. To overcome this, we use a
reverse proxy overlay (NextAuth) to make our OIDC authorization server
believe that we are still in Authorization Code flow. But this results in
an overly complex system which I think could be simplified with SAML. If
you yourself are against the use of SAML in this increasingly widespread
use case, then I am afraid of us :)

Fabien Berteau | Security Architect


fabien.berteau at <aurelien.lajoie at>

Le jeu. 21 oct. 2021 à 15:05, Cantor, Scott <cantor.2 at> a écrit :

> On 10/21/21, 9:01 AM, "users on behalf of Fabien BERTEAU" <
> users-bounces at on behalf of fabien.berteau at>
> wrote:
> > I know how to use Shibboleth to protect classical server side
> applications but I am a newbie about protecting
> > a SPA. Do you have documentation on how to do that ?
> No, I know nothing about that sort of abomination. I suspect you need
> OIDC, not SAML.
> -- Scott
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to
> users-unsubscribe at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list