New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

On authentication session expiration and other errors, oxAuth should redirect user to intended RP #906

Closed
yurem opened this Issue Sep 19, 2018 · 2 comments

Comments

Projects
None yet
1 participant
@yurem
Contributor

yurem commented Sep 19, 2018

Instead of showing error page we should redirect to RP with new errors codes: session_expired, authentication_error, user_account_disabled.

Also we need to add new JSON property redirectOnAuthenticationError: true/false to tun off this redirect. The default value should be true

@yurem yurem added this to the 3.1.5 milestone Sep 19, 2018

@willow9886 willow9886 changed the title from On autentication session expiration and other errors oxAuth should redirect user to RP to On authentication session expiration and other errors, oxAuth should redirect user to intended RP Sep 19, 2018

@yurem yurem self-assigned this Sep 26, 2018

yurem added a commit that referenced this issue Dec 7, 2018

@yurem

This comment has been minimized.

Contributor

yurem commented Dec 7, 2018

On error type like this the bigger challenge is how to get information about RP. This happens because on authentication session we remove from cache all AuthN & AuthZ related data. If ind next approach to handle this:

  1. After getting AuthZ request oxAuth add Secure cookie rp_origin_id=redirect_uri with context /oxauth.
  2. On error application is using this cookie value to send error to RP.

Here are 3 error types which it uses now:

https://localhost:8453/identity/authentication/getauthcode?error_description=The+authorization+server+can%27t+handle+user+authentication+due+to+session+expiration&hint=Create+authorization+request+to+start+new+authentication+session.&error=authentication_session_invalid
https://localhost:8453/identity/authentication/getauthcode?error_description=The+resource+owner+or+authorization+server+denied+the+request.&hint=Create+authorization+request+to+start+new+authentication+session.&error=access_denied
https://localhost:8453/identity/authentication/getauthcode?error_description=The+authorization+server+can%27t+handle+user+authentication+due+to+error+caused+by+ACR&hint=Create+authorization+request+to+start+new+authentication+session.&error=invalid_authentication_method

@yurem yurem closed this Dec 7, 2018

@yurem

This comment has been minimized.

Contributor

yurem commented Dec 7, 2018

To switch between old and new error handling behavior there is oxAuth property errorHandlingMethod. Default value is internal means that application works as before.

yurem added a commit that referenced this issue Dec 7, 2018

yurem added a commit that referenced this issue Dec 14, 2018

yurem added a commit that referenced this issue Dec 14, 2018

yurem added a commit that referenced this issue Dec 14, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment