feat: Remove trusted issuer check from authorization code flow #1
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Users weren't prompted, only an error logged to the console, amids many other errors and logs. Users won't see why it doesn't work. Devs have no easy or documented way to provide trusted issuers either. Trusted issuers are not per-user but server-wide, so allowing users to add/ignore/allow them, is not possible in current setup. All in all, this "feature" is very much in our way, annoying and it adds nothing yet. It will increase security when finished. But in current state doesn't add safety, but is annoying and in the way.
berkes
force-pushed
the
wip/verify-rm-trusted-issuers
branch
from
1c43351 to
3e30193
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This removes the trusted issuer check from the authorization code flow as discussed
Users weren't prompted, only an error logged to the console, amids many
other errors and logs. Users won't see why it doesn't work.
Devs have no easy or documented way to provide trusted issuers either.
Trusted issuers are not per-user but server-wide, so allowing users to
add/ignore/allow them, is not possible in current setup.
All in all, this "feature" is very much in our way, annoying and it adds
nothing yet. It will increase security when finished. But in current
state doesn't add safety, but is annoying and in the way.