[QUESTION] Support for absence of state parameter in logout response

[clement-dufaure]

Previous version of this plugin had a switch to allow for the absence of the state parameter in franceconnect logout response (for csrf protection)

Shoud we reintroduce this switch in admin panel or should we definitively remove support for accepting logout responses without state parameter ?

It's about code around https://github.com/InseeFr/Keycloak-FranceConnect/blob/master/src/main/java/fr/insee/keycloak/providers/common/AbstractBaseIdentityProvider.java#L202C1-L211C100

[lme-atolcd]

Shoud we reintroduce this switch in admin panel or should we definitively remove support for accepting logout responses without state parameter ?

As stated in the FranceConnect documentation for the Logout Endpoint, the state parameter is required. So I think we could drop support for logout responses without state parameter.

[micedre]

Fyi, this switch was introduced because France connect stopped sending the parameter in logout response (see issue #6).
If this was corrected by FC, it seems best to not reintroduce it.