[mitreid-connect] Re-requesting tokens
James Agnew
jamesagnew at gmail.com
Thu Sep 4 17:23:00 EDT 2014
Hello,
Hopefully this isn't a dumb question, but let's give it a shot. I have a
web application (let's call it Resource Server) which is secured using a
MitreID Connect installation (let's call it Auth Server). It uses the
standard "code" flow, and works fine.
I need to allow the user to explicitly log out of the Resource Server. In
the RS the user can click a logout button which clears their session and
deletes the token. The problem is that if they try to log in again, the
Auth Server automatically grants them a new token without asking for
credentials, since the user still has an active session with the Auth
Server itself.
So my question is this- Is this a security hole? Should the Auth Server be
clearing the user's session upon calls to "/authorize"? I'm happy to take a
crack at implementing that (either as an optional feature or as default
behavior) but maybe I'm missing something fundamental.
Cheers,
James
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20140904/ee3c6250/attachment.htm
More information about the mitreid-connect
mailing list