Response URL for “cancels”¶
The short story is that when the WLS wants to send a “response” to the WAA, it takes the URL you provided in the request, adds a WLS-Response query parameter, and redirects the client to that URL.
Happily, it guarantees that this will be done by appending (?|&)WLS-Response=… to the URL (which means that this process is easy to undo, which is a necessary part of Checking response values).
However: while in version 3 it preserves any query parameters that were already in the request URL, in version 1 of the protocol it will not: that is, it deletes the query component before appending ?WLS-Response…. Furthermore, while the current version of the WLS appears to reply with version 3 upon success, if you click “cancel” then it will use version 1, presumably because of reasons.
The WLS does include in its response a copy of some of the request parameters, in particular, the return URL. It is possible to extract this from the response, and after inspecting WLS-Response, perform a redirect to it, recovering the deleted query parameters. The flask_glue does exactly this, and so hopefully you should not suffer problems on account of this behaviour.
Note that if you for some reason had the requirement that requests to a certain page need only be Raven authenticated if a certain query parameter is present, then something like this would not work correctly:
def my_before_request(): if "special" in request.args: return flask_glue.before_request() else: return None
… since if a user clicks Cancel, the special query parameter would not be set, so the before_request function would run, and the response from the WLS would not be handled. Instead, something like this would be necessary:
def my_before_request(): if "special" in request.args or "WLS-Response" in request.args: return flask_glue.before_request() else: return None
If you are not using the flask_glue, I suggest where possible just avoiding having significant query parameters on the URL that you use to perform Raven authentication, and then simply check that request.base_url matches the URL in the signed response. Otherwise, have a look at the implementation of flask_glue for inspiration.