Menu
▾
▴
Re: [Unity-idm-discuss] Enhancement in error message for re-authentication using oidc
|
From: Roman K. <ro...@un...> - 2024-05-21 12:22:42
|
Hi Sander, Sorry to be long in my replay I see your point, I have opened a ticket to correct the error coming from oauth IdP as suggested. Best regards, Roman czw., 16 maj 2024 o 12:20 Sander Apweiler <sa....@fz...> napisał(a): > Dear Roman, > I think not. They want to test if the user has a running session at > unity. The token might not been revoked, if the session was closed. Or > does unity invalidate all tokens, created in the session, if the user > logs out? > > Best regards, > Sander > > > On Thu, 2024-05-16 at 12:12 +0200, Roman Krysiński wrote: > > Good morning Sander, > > > > One way of solving this problem, which Unity already supports, is to > > use tokeninfo endpoint. > > It does not extend the token validity, and provides information about > > its expiration. > > > > Would that work? > > > > Best regards, > > Roman > > > > > > > > czw., 16 maj 2024 o 09:57 Sander Apweiler <sa....@fz...> > > napisał(a): > > > Good morning Krzystzof, > > > good morning Roman, > > > > > > we have a client which want to check if the user has still a > > > running > > > session in unity and end the session in the service, if there is no > > > session in unity anymore. They are using a normal oidc flow with > > > prompt=none and it works fine if the user stored the consent, but > > > if > > > not unity sends Unexpected server error. Since OIDC already > > > defined > > > the error "consent_required", it would be much more comfortable for > > > the > > > service and in the end for the user, if unity would send this error > > > message. What do you think? > > > > > > I added you some details from the service operator below. > > > > > > > > > We do a regular OIDC flow and after a while we trigger another flow > > > with > > > prompt=none to validate the user is still active and authenticated: > > > > > > https://login-dev.helmholtz.de/oauth2-as/oauth2-authz > > > ?response_type=code > > > &client_id=OUR_CLIENT > > > &redirect_uri=OUR_URI > > > &prompt=none > > > &nonce=NONCE > > > &code_challenge=CODE_CHALLENGE > > > &code_challenge_method=S256 > > > > > > > > > If the user did not tick the 'remember my decision' box, then they > > > get > > > redirected with: > > > > > > https://OUR_HOSTNAME/oidc/callback/ > > > ?error=server_error > > > &error_description=Unexpected+server+error&state=STATE > > > > > > > > > Unity log: > > > > > > ERROR unity.server.oauth.ASConsentDeciderServlet: Consent is > > > required > > > but 'none' prompt was given > > > > > > > > > Returning an error seems to be the correct behaviour here > > > (https://openid.net/specs/openid-connect-core-1_0.html). > > > Returning e.g. consent_required > > > (https://openid.net/specs/openid-connect-core-1_0.html#AuthError) > > > instead of the generic server_error as suggested in the > > > specification, > > > could help us display a useful error message to the user. Since > > > Unity's > > > log already displays this as a specific error this is hopefully not > > > too > > > difficult to implement. > > > > > > > > > We're using mozilla-django OIDC: > > > > > > > https://mozilla-django-oidc.readthedocs.io/en/stable/installation.html#validate-id-tokens-by-renewing-them > > > > > > > https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L147 > > > > > > > > > Best regards, > > > Sander > > > > > -- > Large-Scale Data Science > Juelich Supercomputing Centre > > phone: +49 2461 61 8847 > fax: +49 2461 61 6656 > email: sa....@fz... > > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > Forschungszentrum Juelich GmbH > 52425 Juelich > Sitz der Gesellschaft: Juelich > Eingetragen im Handelsregister des Amtsgerichts Dueren Nr. HR B 3498 > Vorsitzender des Aufsichtsrats: MinDir Stefan Müller > Geschaeftsfuehrung: Prof. Dr. Astrid Lambrecht (Vorsitzende), > Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens > ----------------------------------------------------------------------- > ----------------------------------------------------------------------- > > > _______________________________________________ > Unity-idm-discuss mailing list > Uni...@li... > https://lists.sourceforge.net/lists/listinfo/unity-idm-discuss > |
