Improve interaction between protocol endpoint and authentication subsystem about identityserver3 HOT 7 CLOSED

Think about cookie or DB for persisting request message to support POST requests to authorize endpoint.

from identityserver3.

I'm wondering if the authorize endpoint should issue the cookie and not pass a protected query string. Seems a little much the way we did it. shrug

from identityserver3.

We don't need the protected query string. But issuing the cookie is def not the job ob the authZ endpoint.

from identityserver3.

It doesn't have to specifically be the authZ endpoint, but the action result or whatever. I'm just talking out loud -- the protected query string feel a little much given that these two are in the same middleware.

from identityserver3.

True. This comes from a discussion where the authZ endpoints wants to pass data to the login endoint in a "trusted way". As I said - we don't need it and it adds complexity right now. Wanna remove it?

from identityserver3.

Yea, I'll look at it Monday and think if there's a cleaner way. In short, I need a cookie in the all the authentication code anyway, so i was thinking why not use issue it and skip the query string. I also want a better API/abstraction for managing the cookie data. So that's all related.

from identityserver3.

We gonna keep the SignInMessage infrastructure, I switched everything to the new IDataProtector which by default is provided by the host.

from identityserver3.