Menu
▾
▴
Re: [Unity-idm-discuss] Enhancement in error message for re-authentication using oidc
|
From: Roman K. <ro...@un...> - 2024-05-16 10:13:08
|
Good morning Sander, One way of solving this problem, which Unity already supports, is to use tokeninfo endpoint. It does not extend the token validity, and provides information about its expiration. Would that work? Best regards, Roman czw., 16 maj 2024 o 09:57 Sander Apweiler <sa....@fz...> napisał(a): > Good morning Krzystzof, > good morning Roman, > > we have a client which want to check if the user has still a running > session in unity and end the session in the service, if there is no > session in unity anymore. They are using a normal oidc flow with > prompt=none and it works fine if the user stored the consent, but if > not unity sends Unexpected server error. Since OIDC already defined > the error "consent_required", it would be much more comfortable for the > service and in the end for the user, if unity would send this error > message. What do you think? > > I added you some details from the service operator below. > > > We do a regular OIDC flow and after a while we trigger another flow > with > prompt=none to validate the user is still active and authenticated: > > https://login-dev.helmholtz.de/oauth2-as/oauth2-authz > ?response_type=code > &client_id=OUR_CLIENT > &redirect_uri=OUR_URI > &prompt=none > &nonce=NONCE > &code_challenge=CODE_CHALLENGE > &code_challenge_method=S256 > > > If the user did not tick the 'remember my decision' box, then they get > redirected with: > > https://OUR_HOSTNAME/oidc/callback/ > ?error=server_error > &error_description=Unexpected+server+error&state=STATE > > > Unity log: > > ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is required > but 'none' prompt was given > > > Returning an error seems to be the correct behaviour here > (https://openid.net/specs/openid-connect-core-1_0.html). > Returning e.g. consent_required > (https://openid.net/specs/openid-connect-core-1_0.html#AuthError) > instead of the generic server_error as suggested in the specification, > could help us display a useful error message to the user. Since Unity's > log already displays this as a specific error this is hopefully not too > difficult to implement. > > > We're using mozilla-django OIDC: > > > https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them > > > https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147 > > > Best regards, > Sander > > -- > Large-Scale Data Science > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
