So that's because we don't have a proper way of reverting it back. Hence isn't it better to not to write cookies until a proper access of an application takes place for this scenario ?. In multi step scenario it's true that there is an idp session, but still the user is not properly logged in since one of the steps failed. Hence next time the next step will be prompted which means he doesn't have a valid session.
The idea is if we can avoid writing cookies we can unify the post authentication behaviours (missing mandatory claim handling, authorization, etc) On Mon, Jan 29, 2018 at 8:26 PM, Ishara Karunarathna <isha...@wso2.com> wrote: > HI Hsintha, > > On Mon, Jan 29, 2018 at 8:19 PM, Hasintha Indrajee <hasin...@wso2.com> > wrote: > >> Multi-step authentication is a different case I think, We don't set >> cookies in an intermediate state. What if we use "remember me" ? So the >> cookie will be there even if we close the browswer. isn't it ? >> > Think of a authentication steps. > step1 : Federated authenticator > step2 : Local authenticator. > > Then in the step 1 federated authenticator will create a session where 2nd > authentication files. So in the 2nd time also user will automatically > redirect to the federated authenticator and authenticated then fails in 2nd > case. > > -Ishara > >> >> On Mon, Jan 29, 2018 at 8:15 PM, Ishara Karunarathna <isha...@wso2.com> >> wrote: >> >>> Hi Hasintha, >>> >>> Same can happen in multi-step authentication where a user successfully >>> login wiht1st authenticator and fail in the 2nd case. >>> >>> On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com> >>> wrote: >>> >>>> We have the feature of enabling authorization for service provider [1]. >>>> Imagine a scenario where we login to an SP for the very first time and >>>> authorization fails due to some violation of authorization policies. Even >>>> if authorization fails we do set commonAuthId cookie in the response which >>>> means the user has a valid SSO session from that point onwards. >>>> >>>> This can be seen in two perspectives. >>>> >>>> 1) The user is authenticated, but authorization fails, Hence we should >>>> set the cookie for SSO irrespective of authorization decision. >>>> >>>> 2) But this may lead to an inconsistant state. Suppose this is the only >>>> application the user is allowed to login. But due to some policy violation, >>>> the first login fails. In a case of a shared computer this leads to a >>>> deadlock where the user neither can't properly login nor proper logout. We >>>> can use the workaround of calling commonAuthLogout=true. But this will not >>>> do a proper logout. (logging out external idps). Hence in a shared computer >>>> the user has no option. >>>> >>> I think in this case user should close the browser, then he won't get >>> this issue. this is valid for the multi step authentication as well. >>> >>> -Ishara >>> >>>> >>>> Hence I think we can avoid setting cookie until a user successfully >>>> accesses at least a single application upon successful authentication and >>>> authorization. So simply even if the user is authenticated for the very >>>> first time, we will not set the cookie unless the user is authorized to >>>> access that particular application. (This only applies to the very first >>>> app the user is trying to login) >>>> >>>> WDYT ? >>>> >>>> >>>> [1] https://docs.wso2.com/display/IS530/Configuring+Access+C >>>> ontrol+Policy+for+a+Service+Provider >>>> >>>> >>>> >>>> -- >>>> Hasintha Indrajee >>>> WSO2, Inc. >>>> Mobile:+94 771892453 <+94%2077%20189%202453> >>>> >>>> >>> >>> >>> -- >>> Ishara Karunarathna >>> Technical Lead >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>> +94717996791 <071%20799%206791> >>> >>> >>> >> >> >> -- >> Hasintha Indrajee >> WSO2, Inc. >> Mobile:+94 771892453 <+94%2077%20189%202453> >> >> > > > -- > Ishara Karunarathna > Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 <071%20799%206791> > > > -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
