Menu
▾
▴
Re: [Unity-idm-discuss] Enhancement in error message for re-authentication using oidc
|
From: Sander A. <sa....@fz...> - 2024-05-16 10:20:08
|
Dear Roman, I think not. They want to test if the user has a running session at unity. The token might not been revoked, if the session was closed. Or does unity invalidate all tokens, created in the session, if the user logs out? Best regards, Sander On Thu, 2024-05-16 at 12:12 +0200, Roman Krysiński wrote: > Good morning Sander, > > One way of solving this problem, which Unity already supports, is to > use tokeninfo endpoint. > It does not extend the token validity, and provides information about > its expiration. > > Would that work? > > Best regards, > Roman > > > > czw., 16 maj 2024 o 09:57 Sander Apweiler <sa....@fz...> > napisał(a): > > Good morning Krzystzof, > > good morning Roman, > > > > we have a client which want to check if the user has still a > > running > > session in unity and end the session in the service, if there is no > > session in unity anymore. They are using a normal oidc flow with > > prompt=none and it works fine if the user stored the consent, but > > if > > not unity sends Unexpected server error. Since OIDC already > > defined > > the error "consent_required", it would be much more comfortable for > > the > > service and in the end for the user, if unity would send this error > > message. What do you think? > > > > I added you some details from the service operator below. > > > > > > We do a regular OIDC flow and after a while we trigger another flow > > with > > prompt=none to validate the user is still active and authenticated: > > > > https://login-dev.helmholtz.de/oauth2-as/oauth2-authz > > ?response_type=code > > &client_id=OUR_CLIENT > > &redirect_uri=OUR_URI > > &prompt=none > > &nonce=NONCE > > &code_challenge=CODE_CHALLENGE > > &code_challenge_method=S256 > > > > > > If the user did not tick the 'remember my decision' box, then they > > get > > redirected with: > > > > https://OUR_HOSTNAME/oidc/callback/ > > ?error=server_error > > &error_description=Unexpected+server+error&state=STATE > > > > > > Unity log: > > > > ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is > > required > > but 'none' prompt was given > > > > > > Returning an error seems to be the correct behaviour here > > (https://openid.net/specs/openid-connect-core-1_0.html). > > Returning e.g. consent_required > > (https://openid.net/specs/openid-connect-core-1_0.html#AuthError) > > instead of the generic server_error as suggested in the > > specification, > > could help us display a useful error message to the user. Since > > Unity's > > log already displays this as a specific error this is hopefully not > > too > > difficult to implement. > > > > > > We're using mozilla-django OIDC: > > > > https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them > > > > https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147 > > > > > > Best regards, > > Sander > > -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Juelich GmbH 52425 Juelich Sitz der Gesellschaft: Juelich Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
