Multi-step authentication is a different case I think, We don't set cookies in an intermediate state. What if we use "remember me" ? So the cookie will be there even if we close the browswer. isn't it ?
On Mon, Jan 29, 2018 at 8:15 PM, Ishara Karunarathna <isha...@wso2.com> wrote: > Hi Hasintha, > > Same can happen in multi-step authentication where a user successfully > login wiht1st authenticator and fail in the 2nd case. > > On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com> > wrote: > >> We have the feature of enabling authorization for service provider [1]. >> Imagine a scenario where we login to an SP for the very first time and >> authorization fails due to some violation of authorization policies. Even >> if authorization fails we do set commonAuthId cookie in the response which >> means the user has a valid SSO session from that point onwards. >> >> This can be seen in two perspectives. >> >> 1) The user is authenticated, but authorization fails, Hence we should >> set the cookie for SSO irrespective of authorization decision. >> >> 2) But this may lead to an inconsistant state. Suppose this is the only >> application the user is allowed to login. But due to some policy violation, >> the first login fails. In a case of a shared computer this leads to a >> deadlock where the user neither can't properly login nor proper logout. We >> can use the workaround of calling commonAuthLogout=true. But this will not >> do a proper logout. (logging out external idps). Hence in a shared computer >> the user has no option. >> > I think in this case user should close the browser, then he won't get this > issue. this is valid for the multi step authentication as well. > > -Ishara > >> >> Hence I think we can avoid setting cookie until a user successfully >> accesses at least a single application upon successful authentication and >> authorization. So simply even if the user is authenticated for the very >> first time, we will not set the cookie unless the user is authorized to >> access that particular application. (This only applies to the very first >> app the user is trying to login) >> >> WDYT ? >> >> >> [1] https://docs.wso2.com/display/IS530/Configuring+Access+ >> Control+Policy+for+a+Service+Provider >> >> >> >> -- >> Hasintha Indrajee >> WSO2, Inc. >> Mobile:+94 771892453 <+94%2077%20189%202453> >> >> > > > -- > Ishara Karunarathna > Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 <071%20799%206791> > > > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev