Hi. We are using hydra to act as an IDP. Sometimes...
# talk-hydra
Hi. We are using hydra to act as an IDP. Sometimes we need to reject login requests (OIDC), but the relying party (a whitelabel solution we are using) does not seem to handle the rejection properly. – Instead of showing a message to the user they retry the request which results in an endless loop. 💥 So my idea to work around this is to reject the request in our login endpoint, but not redirect to the redirect_url of the reject response, but to show our own 403 page with some useful information instead. Do you think that makes sense or does this break the OAuth flow and would make it unusable for other relying parties?
What is the "normal" reject response? Basically a 403 page as well right? From a first glance this seems reasonable to me. I am not sure if it breaks the flow for other parties though.
My understanding that the relying party should handle a rejection. Is that right?
If the user denies the authorization request, the server will redirect the user back to the redirect URL with
in the query string, and no code will be present. It is up to the app to decide what to display to the user at this point.
i think so yes
❤️ 1