Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PrivacyIDEA should determine the expiration status of a challenge internally #1837

Closed
NuvandaPV opened this issue Sep 3, 2019 · 3 comments

Comments

@NuvandaPV
Copy link
Contributor

commented Sep 3, 2019

Token-challenges have an expiry associated with them. Currently it is left to the client talking to PI to check, whether a challenge is actually still valid, before allowing the user to sign in.

This leads to several problems:

  1. It is easy to forget to check this, see: privacyidea/privacyidea-owncloud-app#73
  2. It may not be possible for the client to determine whether the token is still valid, since the client has to guess the timezone of the PI-server, see: #1586
  3. If there is any difference (even just 30 seconds) between the clocks of client and server, this way of checking challenge validity can lead to hard-to-debug errors.

A nicer way to handle this, would be to add a Boolean indicating whether a challenge has expired to /token/challenges

@fredreichbier

This comment has been minimized.

Copy link
Member

commented Sep 4, 2019

I agree, I think adding a boolean flag to the /token/challenges response is a good idea.

@cornelinux

This comment has been minimized.

Copy link
Member

commented Sep 6, 2019

Again to clarify this: the validity of the challenge was always ment for the time, in wich is has to be answered.
If the challenge was answered succussfully in within the validity period, it is fine.

@cornelinux

This comment has been minimized.

Copy link
Member

commented Sep 6, 2019

This is an duplicate of #1838. Whell #1838 is a duplicate of this issue. But since there is more information in #1838, I close this issue. The owncloud App then should use the new endpoint from #1838 or /validate/check with an empty password for push and tiqr.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.