Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Optional re-auth request by the user #33

Open
wants to merge 1 commit into
base: v3.0.0
Choose a base branch
from
Open

Optional re-auth request by the user #33

wants to merge 1 commit into from

Conversation

k3a
Copy link

@k3a k3a commented May 24, 2020

If the logged-in user with a valid token doesn't have the proper group (RBAC rules doesn't authorize him to do the action) and the request's Accept header mentions text/html, it presents a message with re-authentication link. That link can force re-authentication by doing the OIDC flow again.

The use scenario is:

  • the user have an older, valid token and RBAC doesn't authorize him
  • the user asks the administrator to grant him the necessary group
  • the administrator adds a new group to whatever OIDC auth provider they use
  • the user clicks to the re-auth link to redo the OIDC flow to get a new token with the fresh groups claim and access the previously-denied resource

What do you think about this one?

@k3a k3a mentioned this pull request May 24, 2020
Closed
@jr0d
Copy link
Contributor

jr0d commented Apr 9, 2021

@k3a It's been a while and I am finally back to working on this. I am going to cherry-pick this commit into master and test it. I am also thinking about adding a logout handler that will clear sessions. Right now, UIs implementing a logout flow need to know what cookies to invalidate. Rather than doing this, they could hit _ouath/logout and tfa could perform any cleanup that needs to happen.

@k3a
Copy link
Author

k3a commented Apr 12, 2021

I have been using it in production successfully. Sometimes people haven't had a proper group and it required a re-auth after granting them the group. They were successfully able to reauth after seeing the message and clicking on the link. :)

We haven't had a need for a logout. It makes sense and logout and re-auth are related but keep in mind that logging them out of TFA may still keep them logged in to the identity provider. That means that upon visiting a protected page, a new auth flow will be done again.

So such log out should probably just clear TFA cookies and display a simple page saying "You have been logged out". It shouldn't just redirect back to a protected page, hoping that upstream identity provider will always display "Log in" dialog. It may have it's own session management and there isn't an unified method for ending all OIDC sessions (yet). Ideally, TFA should somehow instruct OIDC provider to end the session, too.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@k3a @jr0d