User-Interactive Authentication: What to respond when a client attempts to complete an already-completed stage? #1987
Assignees
Labels
clarification
An area where the spec could do with being more explicit
client-server
Client-Server API
Projects
Comments
turt2live
added
clarification
|
Although Synapse doesn't care, the language of the spec implies that completed stages cannot be retried. For re-transmission: the client could submit the stage again, and the server return an authentication error. |
turt2live
added a commit
that referenced
this issue
May 30, 2019
Fixes #1987 Note: Synapse currently does not care, however the spirit of the text in the spec implies that completed == done forever, so we're just reinforcing it here.
turt2live
added a commit
that referenced
this issue
May 30, 2019
Fixes #1987 Note: Synapse currently does not care, however the spirit of the text in the spec implies that completed == done forever, so we're just reinforcing it here.
|
Would it not be better to allow clients to re-submit the last stage, in the case e.g. where a proxy eats the server's response to the client and the client doesn't know if the last stage succeeded? |
|
The server would process it as "hey, you already did that: see? [completed_flows]" rather than try and re-validate |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
In the User-Interactive Authentication part of the specification, it states that the response contains an array of completed stages, as well as how to handle authentication stage attempts.
However, it does not specify what the correct behaviour would be if the client attempts to authenticate to a stage that has already been completed. Should it:
In particular considering the potential need for supporting retransmission of authentication attempts when the connection is shaky, I suspect that it should be option 1 or 2, but I'm not sure.
The text was updated successfully, but these errors were encountered: