Use HTTP verb in Service Provider request mapper

[Cantor, Scott]

On 10/21/21, 9:18 AM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

>    In the end though, I'm not sure what the difference is between a code being accessible to javascript and
> making a session cookie accessible to it. Same thing, isn't it?

The point being that AFAIU, the advantage of using the OIDC technologies is simply that there are already SPA libs designed to deal with it all for you and handle timeouts and refresh and so on, so it's that error handling bit that is addressed.

I don't think either is really a good security model simply because the flaws are baked into what you're trying to do. Sad to say the sum total of what passes for web security amounts to HttpOnly at this point, but that's the way it seems to me.

-- Scott