Thanks for the clarification Vihanga. So this is a kind of "force"
authentication where the forcing happens within the context of the same
authentication request rather than across different authentication requests
in the same session. I also can see that It is a valid requirement. As well
as it has no relevance to the retryAuthenticationEnabled() method in the
authenticator interface as that is only relevant within the context of an
authentication step; this requirement goes beyond a single authentication
step. +1 to support it in authentication framework level.
Thanks & Regards,
Johann.
On Tue, Jul 23, 2019 at 3:25 PM Vihanga Liyanage <viha...@wso2.com> wrote:
> Hi Johann,
>
> Let me explain a sample scenario which lead to developing this feature in
> the first place.
>
> 1. The system has three different authenticators, which we'll call
> step 1, 2 and 3.
> 2. A user first completes step 1 and on success step 2 prompts, and
> again on the success of step 2, step 3 prompts.
> 3. In a case of failure in step 1 or 2, the user should stay in the
> same step, retrying.
> 4. But if step 3 fails, we need to go back to step 1 and restart the
> flow from there.
>
> [image: image.png]
>
> In the current implementation, we cannot do going back to step 1 on a
> failure of step 3, since step 1 is already successful. That's why we're
> talking about a "Force Retry mechanism".
>
> @Senthalan Kanagalingam <sentha...@wso2.com> Please correct me if I'm
> wrong.
>
> Regards,
> Vihanga.
>
> On Mon, Jul 22, 2019 at 12:10 PM Johann Nallathamby <joh...@wso2.com>
> wrote:
>
>> I think we are confusing on the terms here.
>> 1. "Retrying" is about allowing the user to retry authentication within
>> the scope of the same authentication request from the service provider.
>> This is mainly for failure on user's part to correctly authenticate.
>> 2. "Forcing" is about making the user authenticate to IS even though
>> (s)he may have a logged-in session already with IS from a previous
>> authentication request. Technically "forcing" is when the user has to again
>> authenticate with the same authenticator (s)he authenticated previously. If
>> user must authenticate with a higher assurance level authenticator then
>> that is classified as "step-up" and not "force".
>>
>> @Senthalan Kanagalingam <sentha...@wso2.com> can you clarify what is
>> this thread exactly about? Is it about "retry" or "force"? The subject of
>> the mail has both terms and different people seem to be talking of slightly
>> different things therefore I am a bit confused.
>>
>> Thanks & Regards,
>> Johann.
>>
>> On Mon, Jul 22, 2019 at 7:55 AM Ruwan Abeykoon <ruw...@wso2.com> wrote:
>>
>>> Hi Senthalan,
>>> I think we need two options here.
>>> 1. To allow retry x number of attempts if when the authenticator is
>>> failed.
>>> 2. To allow retry if the same authenticator has been successful in
>>> current authentication session.
>>>
>>> Cheers,
>>> Ruwan A
>>>
>>>
>>> On Mon, Jul 22, 2019 at 11:19 AM Senthalan Kanagalingam <
>>> sentha...@wso2.com> wrote:
>>>
>>>>
>>>> Hi all,
>>>>
>>>> On Sun, Jul 21, 2019 at 2:13 PM Maduranga Siriwardena <
>>>> madura...@wso2.com> wrote:
>>>>
>>>>> I think the requirement here is to force to execute the step though it
>>>>> is already authenticated for the browser session. @Senthalan, please
>>>>> correct me if I am wrong.
>>>>>
>>>> Yes, the requirement is to force to execute the step even though the
>>>> step is successfully authenticated.
>>>>
>>>>
>>>> Thanks,
>>>> Senthalan
>>>>
>>>>>
>>>>> Regards,
>>>>>
>>>>> On Sun, Jul 21, 2019, 8:14 AM Ishara Karunarathna <isha...@wso2.com>
>>>>> wrote:
>>>>>
>>>>>> HI Senthalan,
>>>>>>
>>>>>> +1 for the idea,
>>>>>> At the moment we handle this in the authenticator level. So better to
>>>>>> get it into the framework level.
>>>>>>
>>>>>> -Ishara
>>>>>>
>>>>>> On Sun, Jul 21, 2019 at 5:29 AM Johann Nallathamby <joh...@wso2.com>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi Senthalan,
>>>>>>>
>>>>>>> In the AbstractAuthenticator interface we have a method as follows:
>>>>>>>
>>>>>>> protected boolean retryAuthenticationEnabled() {}
>>>>>>>
>>>>>>>
>>>>>>> My understanding was that the retry mechanism is enabled per
>>>>>>> authenticator level in the authentication-framework even now. Not sure
>>>>>>> if
>>>>>>> we can configure the retry count now. Is your idea to make this behavior
>>>>>>> adaptive?
>>>>>>>
>>>>>>> How would this improvement impact for:
>>>>>>> 1. Authenticators that have implemented "return true" for above
>>>>>>> method
>>>>>>> 2. Authenticators that have implemented "return false" for above
>>>>>>> method
>>>>>>> 3. Users who have extended and provided their own implementation
>>>>>>>
>>>>>>> Regards,
>>>>>>> Johann.
>>>>>>>
>>>>>>> On Thu, Jul 18, 2019 at 7:56 AM Senthalan Kanagalingam <
>>>>>>> sentha...@wso2.com> wrote:
>>>>>>>
>>>>>>>> Hi all,
>>>>>>>>
>>>>>>>> Currently, in our authentication framework, we force to retry the
>>>>>>>> complete authentication process. With the adaptive authentication
>>>>>>>> script,
>>>>>>>> it will be great if we support force to retry mechanism per step. Let
>>>>>>>> me
>>>>>>>> explain a use-case. There will be 3 steps for authentication. if the
>>>>>>>> 1st
>>>>>>>> and 2nd steps passed successfully and the 3rd step failed the user has
>>>>>>>> to
>>>>>>>> again authenticate with 2nd step to retry the 3rd steps.
>>>>>>>>
>>>>>>>> We can pass a flag in the authentication options parameter (let's
>>>>>>>> say { forceStepRetry : true }) from the script for each excuteStep()
>>>>>>>> method
>>>>>>>> and forced to retry the step in the step handler.
>>>>>>>>
>>>>>>>> function onLoginRequest(context) {
>>>>>>>> executeStep(1, {
>>>>>>>> onSuccess: function (context) {
>>>>>>>> forceRetry(context);
>>>>>>>> }
>>>>>>>> });
>>>>>>>> }
>>>>>>>>
>>>>>>>> function forceRetry(context) {
>>>>>>>>
>>>>>>>> executeStep(2, { forceStepRetry : true }, {
>>>>>>>>
>>>>>>>> onSuccess: function (context){
>>>>>>>>
>>>>>>>> executeStep(3, {
>>>>>>>>
>>>>>>>> onSuccess: function (context){
>>>>>>>>
>>>>>>>> // Logic to execute if step 3 succeeded
>>>>>>>>
>>>>>>>> },
>>>>>>>>
>>>>>>>> onFail: function (context){
>>>>>>>> forceRetry(context);
>>>>>>>> }
>>>>>>>>
>>>>>>>> });
>>>>>>>> }
>>>>>>>> });
>>>>>>>>
>>>>>>>> }
>>>>>>>>
>>>>>>>>
>>>>>>>> Please share your thoughts on this.
>>>>>>>>
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Senthalan
>>>>>>>> --
>>>>>>>> Senthalan Kanagalingam | Software Engineer | WSO2 Inc.
>>>>>>>> (m) +94 (0) 77 18 77 466 | (w) +94117435800 | (e)
>>>>>>>> sentha...@wso2.com
>>>>>>>> <http://wso2.com/signature>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> *Johann Dilantha Nallathamby* | Associate Director/Solutions
>>>>>>> Architect | WSO2 Inc.
>>>>>>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com
>>>>>>> [image: Signature.jpg]
>>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Ishara Karunarathna
>>>>>> Senior Technical Lead
>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com
>>>>>>
>>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile:
>>>>>> +94717996791
>>>>>>
>>>>>>
>>>>>>
>>>>
>>>> --
>>>> Senthalan Kanagalingam | Software Engineer | WSO2 Inc.
>>>> (m) +94 (0) 77 18 77 466 | (w) +94117435800 | (e) sentha...@wso2.com
>>>>
>>>> <http://wso2.com/signature>
>>>>
>>>>
>>>
>>> --
>>> Ruwan Abeykoon | Director/Architect | WSO2 Inc.
>>> (w) +947435800 | Email: ruw...@wso2.com
>>>
>>>
>>
>> --
>> *Johann Dilantha Nallathamby* | Associate Director/Solutions Architect |
>> WSO2 Inc.
>> (m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com
>> [image: Signature.jpg]
>>
>
>
> --
>
> Vihanga Liyanage
>
> Software Engineer | WS*O₂* Inc.
>
> M : +*94710124103* | http://wso2.com
>
> [image: http://wso2.com/signature] <http://wso2.com/signature>
>
--
*Johann Dilantha Nallathamby* | Associate Director/Solutions Architect |
WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com
[image: Signature.jpg]
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
