We are pinned to the tests-passed branch of Discourse, and we’ve found that the following commit broke our SSO solution: SECURITY: The SSO `return_path` was an open redirect · discourse/discourse@f5e0cf6 · GitHub
We have login on our (non-Discourse) site, and as part of the login process we redirect to Discourse with a return_path to the host site (on a different subdomain) so that we can continue with the normal flow and let Discourse be logged in “in the background” without it disrupting our users’ flow. If users later visit the forums, they find themselves pleasantly still logged in.
However, from what I can tell, this commit restricts return_path to being on the Discourse subdomain. This means that we can’t log in to Discourse and then return to our own site.
For the moment we can pin ourselves to 1.2.0.beta5, but is it possible to provide a whitelist or otherwise disable this restriction on the return_path domain?