From: Sander A. <sa....@fz...> - 2024-05-16 07:57:50
|
Good morning Krzystzof, good morning Roman, we have a client which want to check if the user has still a running session in unity and end the session in the service, if there is no session in unity anymore. They are using a normal oidc flow with prompt=none and it works fine if the user stored the consent, but if not unity sends Unexpected server error. Since OIDC already defined the error "consent_required", it would be much more comfortable for the service and in the end for the user, if unity would send this error message. What do you think? I added you some details from the service operator below. We do a regular OIDC flow and after a while we trigger another flow with prompt=none to validate the user is still active and authenticated: https://login-dev.helmholtz.de/oauth2-as/oauth2-authz ?response_type=code &client_id=OUR_CLIENT &redirect_uri=OUR_URI &prompt=none &nonce=NONCE &code_challenge=CODE_CHALLENGE &code_challenge_method=S256 If the user did not tick the 'remember my decision' box, then they get redirected with: https://OUR_HOSTNAME/oidc/callback/ ?error=server_error &error_description=Unexpected+server+error&state=STATE Unity log: ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is required but 'none' prompt was given Returning an error seems to be the correct behaviour here (https://openid.net/specs/openid-connect-core-1_0.html). Returning e.g. consent_required (https://openid.net/specs/openid-connect-core-1_0.html#AuthError) instead of the generic server_error as suggested in the specification, could help us display a useful error message to the user. Since Unity's log already displays this as a specific error this is hopefully not too difficult to implement. We're using mozilla-django OIDC: https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147 Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |