On Friday, January 19, 2018, Sathya Bandara <[email protected]> wrote: > Hi all, > > When there is an already authenticated session for an application user > with Identity Server, there is no necessity to prompt for another login to > the IS if the user logs into the application from another tab in the same > browser. > However we can change the service providers authentication scheme > (authentication steps and authenticators in each step) while the user has > this session. > In this case, if the user tries to log into the application he is not > prompted for re-authentication. This is the default behavior of IS. > Shouldn't we prompt the user to authenticate if the service provider's > authentication scheme is modified or is this an intended behavior? > > Appreciate your thoughts on this. >
The reason for this behaviour is that we cache the service provider configuration in the users session context(context created for successful authentication ). This session context is stored against the cookie (commonauth) used to identify whether the user already has a session in IS. So whenever a user reauthenticates user's authenticated steps/idps are compared with cached service proivder configs. When you change the service provider configs it does not get reflected in the cached service provider configs in the user's authenticated session. With the current implementation this is the expected behaviour. But IMO we should improve this to always fetch the latest service provider configs and compare user's authentication steps/IDPs against it. (ie. We should avoid caching configurations) Shall we create a github issue to track this improvement? Thanks, > Sathya > -- > Sathya Bandara > Software Engineer > WSO2 Inc. http://wso2.com > Mobile: (+94) 715 360 421 <+94%2071%20411%205032> > > <+94%2071%20411%205032> > -- Farasath Ahamed Senior Software Engineer, WSO2 Inc.; http://wso2.com Mobile: +94777603866 Blog: blog.farazath.com Twitter: @farazath619 <https://twitter.com/farazath619> <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
