Hi everyone!
I have encountered an interesting issue, on a corporate ADFS which i don't have much access to (no logs, not sure about version etc.), where two parameters are being added when navigating to to authorize endpoint:
https://path-to-adfs-server/adfs/oauth2/authorize?response_type=token&client_id={client_id}&redirect_uri=https%3A%2F%2Flocalhost%3A3000&scope=read&resource=myresource&state=f02bf58ac7994e5af1b1a3b62d6a2dd8
The two query parameters that are being automatically added are:
- pullStatus=0
- client-request-id={uuid}
My question is: are these standard, but undocumented, ADFS parameters? Or is this something custom? I can't find any scripts or HTTP redirect that is redirecting me with these parameters, so i'm thinking it's something running on Windows adding it (like some sort of SSO? Bare with me, im new to all of this :-)) Also when doing searches for these parameters i end up with very few or 0 hits. E.g. i found this blog post mentioning pullStatus=0 but doesn't seem to be seem to be related to my issue.
The issue is that i can't silently refresh tokens through an iframe because X-Frame-Options is always set to deny even though i clearly have a session cookie for the ADFS server and already fetched credentials interactively. If i add &pullStatus=0 to the end of the silent refresh request all is good and no X-Frame-Options header is sent. Also if i open a popup to "silently" refresh it all works (popup opens and closes immediately without user interaction), because X-Frame-Options doesn't affect popups.
I'm curious to what pullStatus actually is/does. In our production environment it isn't needed so i'm trying to figure out why it is needed in our test environment.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(150.4, 22%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELO%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 5%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)