We have the feature of enabling authorization for service provider [1]. Imagine a scenario where we login to an SP for the very first time and authorization fails due to some violation of authorization policies. Even if authorization fails we do set commonAuthId cookie in the response which means the user has a valid SSO session from that point onwards.
This can be seen in two perspectives. 1) The user is authenticated, but authorization fails, Hence we should set the cookie for SSO irrespective of authorization decision. 2) But this may lead to an inconsistant state. Suppose this is the only application the user is allowed to login. But due to some policy violation, the first login fails. In a case of a shared computer this leads to a deadlock where the user neither can't properly login nor proper logout. We can use the workaround of calling commonAuthLogout=true. But this will not do a proper logout. (logging out external idps). Hence in a shared computer the user has no option. Hence I think we can avoid setting cookie until a user successfully accesses at least a single application upon successful authentication and authorization. So simply even if the user is authenticated for the very first time, we will not set the cookie unless the user is authorized to access that particular application. (This only applies to the very first app the user is trying to login) WDYT ? [1] https://docs.wso2.com/display/IS530/Configuring+Access+Control+Policy+for+a+Service+Provider -- Hasintha Indrajee WSO2, Inc. Mobile:+94 771892453
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
