The current documentation for identifying and redirecting relies on client side code executing: https://help.canny.io/getting-started-on-canny/setting-up-single-sign-on-redirect

This poses a potential security risk since anything on the client can be manipulated including the data that is being sent in the identify method.

My login page is a native form post which means that after I authenticate my user I need to load a new page just to run the canny script to redirect them.

My proposed feature is the ability to generate a JWT token for redirection purposes. Once authentication happens on my backend I can redirect the user to something like https://my-company.canny.io/auth/jwt={generatedJwtTokenHere}&redirect=https://feedback.my-company.com

This is how our SSO implementation with Zendesk works. You can find their documentation here: https://support.zendesk.com/hc/en-us/articles/203663816-Enabling-JWT-JSON-Web-Token-single-sign-on#topic_w5x_1fh_3fb

In addition I feel the documentation should be updated to warn users of potential unvalidated redirect attacks: https://www.owasp.org/index.php/Unvalidated_Redirects_and_Forwards_Cheat_Sheet

Please do let me know if I overlooked any documentation about how to achieve my suggestion above.

Thanks