Hi Hasintha, Same can happen in multi-step authentication where a user successfully login wiht1st authenticator and fail in the 2nd case.
On Mon, Jan 29, 2018 at 8:04 PM, Hasintha Indrajee <hasin...@wso2.com> wrote: > We have the feature of enabling authorization for service provider [1]. > Imagine a scenario where we login to an SP for the very first time and > authorization fails due to some violation of authorization policies. Even > if authorization fails we do set commonAuthId cookie in the response which > means the user has a valid SSO session from that point onwards. > > This can be seen in two perspectives. > > 1) The user is authenticated, but authorization fails, Hence we should set > the cookie for SSO irrespective of authorization decision. > > 2) But this may lead to an inconsistant state. Suppose this is the only > application the user is allowed to login. But due to some policy violation, > the first login fails. In a case of a shared computer this leads to a > deadlock where the user neither can't properly login nor proper logout. We > can use the workaround of calling commonAuthLogout=true. But this will not > do a proper logout. (logging out external idps). Hence in a shared computer > the user has no option. > I think in this case user should close the browser, then he won't get this issue. this is valid for the multi step authentication as well. -Ishara > > Hence I think we can avoid setting cookie until a user successfully > accesses at least a single application upon successful authentication and > authorization. So simply even if the user is authenticated for the very > first time, we will not set the cookie unless the user is authorized to > access that particular application. (This only applies to the very first > app the user is trying to login) > > WDYT ? > > > [1] https://docs.wso2.com/display/IS530/Configuring+ > Access+Control+Policy+for+a+Service+Provider > > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 <+94%2077%20189%202453> > > -- Ishara Karunarathna Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
