Use HTTP verb in Service Provider request mapper

Cantor, Scott cantor.2 at
Thu Oct 21 13:18:26 UTC 2021

On 10/21/21, 9:11 AM, "users on behalf of Fabien BERTEAU" <users-bounces at on behalf of fabien.berteau at> wrote:

>    This answer scares me because we already use OIDC but we realize that it is not enough.

I'm not saying it's secure, I haven't studied any of it. I got off this train a lot of stops back when it became clear I did not have a compatible worldview to deal with it.

> To overcome this, we use a reverse proxy overlay (NextAuth) to make our OIDC authorization server believe
> that we are still in Authorization Code flow. But this results in an overly complex system which I think could be
> simplified with SAML. If you yourself are against the use of SAML in this increasingly widespread use case,
> then I am afraid of us :)

I'm not against the use of SAML if you think it's what you want, I'm simply against the concept of a SPA and I am not sorry or sad that people think SAML doesn't work well with them. To me that suggests we got it pretty right.

In the end though, I'm not sure what the difference is between a code being accessible to javascript and making a session cookie accessible to it. Same thing, isn't it?

-- Scott

More information about the users mailing list