Thanks for the clarification Vihanga. So this is a kind of "force" authentication where the forcing happens within the context of the same authentication request rather than across different authentication requests in the same session. I also can see that It is a valid requirement. As well as it has no relevance to the retryAuthenticationEnabled() method in the authenticator interface as that is only relevant within the context of an authentication step; this requirement goes beyond a single authentication step. +1 to support it in authentication framework level.
Thanks & Regards, Johann. On Tue, Jul 23, 2019 at 3:25 PM Vihanga Liyanage <viha...@wso2.com> wrote: > Hi Johann, > > Let me explain a sample scenario which lead to developing this feature in > the first place. > > 1. The system has three different authenticators, which we'll call > step 1, 2 and 3. > 2. A user first completes step 1 and on success step 2 prompts, and > again on the success of step 2, step 3 prompts. > 3. In a case of failure in step 1 or 2, the user should stay in the > same step, retrying. > 4. But if step 3 fails, we need to go back to step 1 and restart the > flow from there. > > [image: image.png] > > In the current implementation, we cannot do going back to step 1 on a > failure of step 3, since step 1 is already successful. That's why we're > talking about a "Force Retry mechanism". > > @Senthalan Kanagalingam <sentha...@wso2.com> Please correct me if I'm > wrong. > > Regards, > Vihanga. > > On Mon, Jul 22, 2019 at 12:10 PM Johann Nallathamby <joh...@wso2.com> > wrote: > >> I think we are confusing on the terms here. >> 1. "Retrying" is about allowing the user to retry authentication within >> the scope of the same authentication request from the service provider. >> This is mainly for failure on user's part to correctly authenticate. >> 2. "Forcing" is about making the user authenticate to IS even though >> (s)he may have a logged-in session already with IS from a previous >> authentication request. Technically "forcing" is when the user has to again >> authenticate with the same authenticator (s)he authenticated previously. If >> user must authenticate with a higher assurance level authenticator then >> that is classified as "step-up" and not "force". >> >> @Senthalan Kanagalingam <sentha...@wso2.com> can you clarify what is >> this thread exactly about? Is it about "retry" or "force"? The subject of >> the mail has both terms and different people seem to be talking of slightly >> different things therefore I am a bit confused. >> >> Thanks & Regards, >> Johann. >> >> On Mon, Jul 22, 2019 at 7:55 AM Ruwan Abeykoon <ruw...@wso2.com> wrote: >> >>> Hi Senthalan, >>> I think we need two options here. >>> 1. To allow retry x number of attempts if when the authenticator is >>> failed. >>> 2. To allow retry if the same authenticator has been successful in >>> current authentication session. >>> >>> Cheers, >>> Ruwan A >>> >>> >>> On Mon, Jul 22, 2019 at 11:19 AM Senthalan Kanagalingam < >>> sentha...@wso2.com> wrote: >>> >>>> >>>> Hi all, >>>> >>>> On Sun, Jul 21, 2019 at 2:13 PM Maduranga Siriwardena < >>>> madura...@wso2.com> wrote: >>>> >>>>> I think the requirement here is to force to execute the step though it >>>>> is already authenticated for the browser session. @Senthalan, please >>>>> correct me if I am wrong. >>>>> >>>> Yes, the requirement is to force to execute the step even though the >>>> step is successfully authenticated. >>>> >>>> >>>> Thanks, >>>> Senthalan >>>> >>>>> >>>>> Regards, >>>>> >>>>> On Sun, Jul 21, 2019, 8:14 AM Ishara Karunarathna <isha...@wso2.com> >>>>> wrote: >>>>> >>>>>> HI Senthalan, >>>>>> >>>>>> +1 for the idea, >>>>>> At the moment we handle this in the authenticator level. So better to >>>>>> get it into the framework level. >>>>>> >>>>>> -Ishara >>>>>> >>>>>> On Sun, Jul 21, 2019 at 5:29 AM Johann Nallathamby <joh...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> Hi Senthalan, >>>>>>> >>>>>>> In the AbstractAuthenticator interface we have a method as follows: >>>>>>> >>>>>>> protected boolean retryAuthenticationEnabled() {} >>>>>>> >>>>>>> >>>>>>> My understanding was that the retry mechanism is enabled per >>>>>>> authenticator level in the authentication-framework even now. Not sure >>>>>>> if >>>>>>> we can configure the retry count now. Is your idea to make this behavior >>>>>>> adaptive? >>>>>>> >>>>>>> How would this improvement impact for: >>>>>>> 1. Authenticators that have implemented "return true" for above >>>>>>> method >>>>>>> 2. Authenticators that have implemented "return false" for above >>>>>>> method >>>>>>> 3. Users who have extended and provided their own implementation >>>>>>> >>>>>>> Regards, >>>>>>> Johann. >>>>>>> >>>>>>> On Thu, Jul 18, 2019 at 7:56 AM Senthalan Kanagalingam < >>>>>>> sentha...@wso2.com> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> Currently, in our authentication framework, we force to retry the >>>>>>>> complete authentication process. With the adaptive authentication >>>>>>>> script, >>>>>>>> it will be great if we support force to retry mechanism per step. Let >>>>>>>> me >>>>>>>> explain a use-case. There will be 3 steps for authentication. if the >>>>>>>> 1st >>>>>>>> and 2nd steps passed successfully and the 3rd step failed the user has >>>>>>>> to >>>>>>>> again authenticate with 2nd step to retry the 3rd steps. >>>>>>>> >>>>>>>> We can pass a flag in the authentication options parameter (let's >>>>>>>> say { forceStepRetry : true }) from the script for each excuteStep() >>>>>>>> method >>>>>>>> and forced to retry the step in the step handler. >>>>>>>> >>>>>>>> function onLoginRequest(context) { >>>>>>>> executeStep(1, { >>>>>>>> onSuccess: function (context) { >>>>>>>> forceRetry(context); >>>>>>>> } >>>>>>>> }); >>>>>>>> } >>>>>>>> >>>>>>>> function forceRetry(context) { >>>>>>>> >>>>>>>> executeStep(2, { forceStepRetry : true }, { >>>>>>>> >>>>>>>> onSuccess: function (context){ >>>>>>>> >>>>>>>> executeStep(3, { >>>>>>>> >>>>>>>> onSuccess: function (context){ >>>>>>>> >>>>>>>> // Logic to execute if step 3 succeeded >>>>>>>> >>>>>>>> }, >>>>>>>> >>>>>>>> onFail: function (context){ >>>>>>>> forceRetry(context); >>>>>>>> } >>>>>>>> >>>>>>>> }); >>>>>>>> } >>>>>>>> }); >>>>>>>> >>>>>>>> } >>>>>>>> >>>>>>>> >>>>>>>> Please share your thoughts on this. >>>>>>>> >>>>>>>> >>>>>>>> Thanks, >>>>>>>> Senthalan >>>>>>>> -- >>>>>>>> Senthalan Kanagalingam | Software Engineer | WSO2 Inc. >>>>>>>> (m) +94 (0) 77 18 77 466 | (w) +94117435800 | (e) >>>>>>>> sentha...@wso2.com >>>>>>>> <http://wso2.com/signature> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Johann Dilantha Nallathamby* | Associate Director/Solutions >>>>>>> Architect | WSO2 Inc. >>>>>>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >>>>>>> [image: Signature.jpg] >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Senior Technical Lead >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 >>>>>> >>>>>> >>>>>> >>>> >>>> -- >>>> Senthalan Kanagalingam | Software Engineer | WSO2 Inc. >>>> (m) +94 (0) 77 18 77 466 | (w) +94117435800 | (e) sentha...@wso2.com >>>> >>>> <http://wso2.com/signature> >>>> >>>> >>> >>> -- >>> Ruwan Abeykoon | Director/Architect | WSO2 Inc. >>> (w) +947435800 | Email: ruw...@wso2.com >>> >>> >> >> -- >> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | >> WSO2 Inc. >> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com >> [image: Signature.jpg] >> > > > -- > > Vihanga Liyanage > > Software Engineer | WS*O₂* Inc. > > M : +*94710124103* | http://wso2.com > > [image: http://wso2.com/signature] <http://wso2.com/signature> > -- *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect | WSO2 Inc. (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com [image: Signature.jpg]
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture