Use HTTP verb in Service Provider request mapper
cantor.2 at osu.edu
Thu Oct 21 13:18:26 UTC 2021
On 10/21/21, 9:11 AM, "users on behalf of Fabien BERTEAU" <users-bounces at shibboleth.net on behalf of fabien.berteau at manomano.com> wrote:
> This answer scares me because we already use OIDC but we realize that it is not enough.
I'm not saying it's secure, I haven't studied any of it. I got off this train a lot of stops back when it became clear I did not have a compatible worldview to deal with it.
> To overcome this, we use a reverse proxy overlay (NextAuth) to make our OIDC authorization server believe
> that we are still in Authorization Code flow. But this results in an overly complex system which I think could be
> simplified with SAML. If you yourself are against the use of SAML in this increasingly widespread use case,
> then I am afraid of us :)
I'm not against the use of SAML if you think it's what you want, I'm simply against the concept of a SPA and I am not sorry or sad that people think SAML doesn't work well with them. To me that suggests we got it pretty right.
More information about the users