Always whitelist the login fallback for SSO (#7153)

That fallback sets the redirect URL to itself (so it can process the login token then return gracefully to the client). This would make it pointless to ask the user for confirmation, since the URL the confirmation page would be showing wouldn't be the client's.
2025-05-02 19:34:52 -04:00 · 2020-03-27 20:24:52 +00:00 · 2020-03-27 20:24:52 +00:00 · b7da598a61
commit b7da598a61
parent 84f7eaed16
4 changed files with 28 additions and 1 deletions
--- a/docs/sample_config.yaml
+++ b/docs/sample_config.yaml
@ -1444,6 +1444,10 @@ sso:
    # phishing attacks from evil.site. To avoid this, include a slash after the
    # hostname: "https://my.client/".
    #
+    # If public_baseurl is set, then the login fallback page (used by clients
+    # that don't natively support the required login flows) is whitelisted in
+    # addition to any URLs in this list.
+    #
    # By default, this list is empty.
    #
    #client_whitelist: