The doc for redirect for actions and rules match on some aspects and one is what happens if in the middle of a redirection, there is an /authorize call with prompt=none.
According to the doc, we should get an error saying error=interaction_required but I’m seeing only that behaviour with rules and not with actions. When calling /authorize after being redirected by an action, I can still get a valid code to exchange it for an access token & id token.
This is the action I’m testing with:
- trigger: post-login
- code:
/**
* Handler that will be called during the execution of a PostLogin flow.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {
api.redirect.sendUserTo("http://localhost:4200");
};
/**
* Handler that will be invoked when this action is resuming after an external redirect. If your
* onExecutePostLogin function does not perform a redirect, this function can be safely ignored.
*
* @param {Event} event - Details about the user and the context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be used to change the behavior of the login.
*/
exports.onContinuePostLogin = async (event, api) => {
};
Then, from http://localhost:4200, I’m able to get a code for an access token by calling https://[AUTH)_TENANT]/authorize?client_id=...&prompt=none...
And the code for the rule is:
function (user, context, callback) {
if (context.protocol !== "redirect-callback") {
context.redirect = { url: "http://localhost:4200" };
}
return callback(null, user, context);
}
And same /authorize call than for action (with a new nonce and state of course).
Also, for my testing I’m using either redirecting with an action or a rule. I’m not using both at the same time of course.
Is this a bug or am I missing something?