SCAL-311643: Fix SAMLRedirect/OIDCRedirect on IAMv2 (Okta) clusters#534
Open
saurabh-pandey-g wants to merge 1 commit into
Open
SCAL-311643: Fix SAMLRedirect/OIDCRedirect on IAMv2 (Okta) clusters#534saurabh-pandey-g wants to merge 1 commit into
saurabh-pandey-g wants to merge 1 commit into
Conversation
commit: |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request implements a specialized authentication flow for IAMv2 (Okta) clusters to circumvent issues caused by third-party cookie blocking in embedded environments. Key changes include the addition of the isIAMv2Enabled utility and logic within doSSOAuth to prioritize SSO markers over the standard cookie-based session probe. New unit tests in auth.spec.ts validate the IAMv2 logic, fallback mechanisms, and backward compatibility with IAMv1. I have no feedback to provide.
doSSOAuth() relied on /callosum/v1/session/isactive to detect a logged-in session. On IAMv2 clusters, browsers commonly block the JSESSIONID cookie from being sent on cross-origin requests (third-party cookie blocking, nested-iframe contexts), so the probe returns 401 even after a successful Okta redirect. The SDK then mistook this for auth failure and fired AuthStatus.FAILURE permanently. Detect IAMv2 upfront via config.oktaEnabled from /prism/preauth/info and branch around the broken cookie probe: trust the SSO redirect marker as evidence of successful IdP auth and let the iframe re-establish the in-iframe session on load. IAMv1 behavior unchanged.
saurabh-pandey-g
force-pushed
the
SCAL-311643
branch
from
73344b3 to
6c4a201
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
doSSOAuth()relied on /callosum/v1/session/isactive to detect a logged-in session. On IAMv2 clusters, browsers commonly block the JSESSIONID cookie from being sent on cross-origin requests (third-party cookie blocking, nested-iframe contexts), so the probe returns 401 even after a successful Okta redirect. The SDK then mistook this for auth failure and fired AuthStatus.FAILURE permanently.Detect IAMv2 upfront via
config.oktaEnabledfrom /prism/preauth/info and branch around the broken cookie probe: trust the SSO redirect marker as evidence of successful IdP auth and let the iframe re-establish the in-iframe session on load. IAMv1 behavior unchanged.