Hello, we are currently implementing a login flow for keycloak OpenID (external login server). For t

UPWG9AYH2

Hello,
we are currently implementing a login flow for keycloak OpenID (external login server). For that we wrote also a client from yves frontend to spryker backend. This client should provide
a) a login link where the customer gets redirected to
b) the resource owner by the provided auth code (from redirect from keycloak login)

Both involving a state parameter which must finally match again when retrieving the resource owner. I compared the sprykers oauth azure module and they save that state param into the current session using the session client which is totally fine in that case (because everything happens in the same session).

However, when using the client layer to connect yves, both methods does not share the same session which is a problem to compare generated state param and the state param that was returned from the login server.

My two approaches would be now:
• save the state into redis instead or
• save the state into an own table in the database
Saving the param to Redis (and remove it after the param/auth code was validated) seems to be the easiest solution to me.

But honestly I don’t know about security concerns when saving the state param into redis or somewhere else.
So, is this the way to go? Somebody did something similar?Any suggestions or other approaches?

Best

UPWG9AYH2

I think the core question is: Is sprykers storage aka redis intended to store security relevant information since its (afaik) intended to be more or less the cache for the frontend … so public frontend infos vs security relevant infos … databases might be also a solution but as i said … feels a bit over engineered for a simple string that is persisted only temporarly