I'm trying out OpenID Connect for my app and there is one specific workflow that I haven't been able to support.
I've got an "Add to cart" button that issues a POST request to the HTTP server. If the user is not authenticated, the user goes to the Identity Provider to be authenticated. However, after the user is authenticated, the Identity Provider redirects the browser to the redirect_uri using a GET, which means my application loses the context of which item the user wanted to buy.
The only alternative that I can think about would be to hide the "Add to cart" button until the user logs in, but it seems like this would be an important limitation of OpenID. Is there another solution?
If the user is not authenticated, the user goes to the Identity Provider to be authenticated.
This is the first redirect with which you lose the POST information.
So when deciding that the user has to be redirected, you need to store the POST data in the session and pick them up after the user has been logged in.