<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">All depends on where in the stack you configure the user login. Most of the time, the SSO check happens very early on, though, long before the application code kicks in. The idea is that you shouldn’t even bother processing the request if you don’t know who the user is.<div class=""><br class=""></div><div class=""> — Justin</div><div class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Dec 2, 2016, at 3:41 PM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div class="WordSection1" style="page: WordSection1; font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255);"><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><span style="font-size: 11pt; font-family: Calibri;" class="">I see, a bit tricky. The SSO scenario is even a bit scarier: let’s say the user is not logged in anywhere within MitreID domains and SSO partners. Even though the operation described below failed, not only the user behind the scenes is logged in to MitreID but also to all SSOs. I mean, I understand that deleting an existing session may be too drastic but creating a brand new one upon failure seems an unnecessary risk. Can’t it perform the redirect_url check before going all the way to the user log in?<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><span style="font-size: 11pt; font-family: Calibri;" class=""><o:p class=""> </o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><span style="font-size: 11pt; font-family: Calibri;" class="">Regards,<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><span style="font-size: 11pt; font-family: Calibri;" class="">Luiz<o:p class=""></o:p></span></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><span style="font-size: 11pt; font-family: Calibri;" class=""><o:p class=""> </o:p></span></div><div style="border-style: solid none none; border-top-color: rgb(181, 196, 223); border-top-width: 1pt; padding: 3pt 0in 0in;" class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><b class=""><span style="font-family: Calibri;" class="">From:<span class="Apple-converted-space"> </span></span></b><span style="font-family: Calibri;" class="">Justin Richer <<a href="mailto:jricher@mit.edu" class="">jricher@mit.edu</a>><br class=""><b class="">Date:<span class="Apple-converted-space"> </span></b>Friday, December 2, 2016 at 3:24 PM<br class=""><b class="">To:<span class="Apple-converted-space"> </span></b>Luiz Omori <<a href="mailto:luiz.omori@duke.edu" class="">luiz.omori@duke.edu</a>><br class=""><b class="">Cc:<span class="Apple-converted-space"> </span></b>"<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>" <<a href="mailto:mitreid-connect@mit.edu" class="">mitreid-connect@mit.edu</a>><br class=""><b class="">Subject:<span class="Apple-converted-space"> </span></b>Re: [mitreid-connect] Suspicious behaviour when invalid redirect uri is detected?<o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><o:p class=""> </o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class="">This is expected but I understand it could be disconcerting. Your session to the IdP is not terminated on an error. Not only would that be an awful user experience in most cases, in some instances where the server is deployed in an SSO environment you *can’t* really kill the session anyway.<span class="Apple-converted-space"> </span><o:p class=""></o:p></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><o:p class=""> </o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""> — Justin<o:p class=""></o:p></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><o:p class=""> </o:p></div><div class=""><blockquote style="margin-top: 5pt; margin-bottom: 5pt;" class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class="">On Dec 1, 2016, at 11:32 AM, Luiz Omori <<a href="mailto:luiz.omori@duke.edu" style="color: purple; text-decoration: underline;" class="">luiz.omori@duke.edu</a>> wrote:<o:p class=""></o:p></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><o:p class=""> </o:p></div><div class=""><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; background-color: white;" class=""><span style="font-size: 11pt; font-family: Calibri;" class="">Hi,</span><span style="font-family: Calibri;" class=""><o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; background-color: white;" class=""><span style="font-size: 11pt; font-family: Calibri;" class=""> </span><span style="font-family: Calibri;" class=""><o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; background-color: white;" class=""><span style="font-size: 11pt; font-family: Calibri;" class="">Interesting thing happened this morning while testing an application. I was using the Implicit flow and put a redirect url that hadn’t been configured in the server yet. The proper error message was displayed but I’ve noticed that may name was displayed on the top-right corner and could access some features from the server as if I was logged in to it. Is this by expected? I was kind of expecting that upon error my login would be aborted.</span><span style="font-family: Calibri;" class=""><o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; background-color: white;" class=""><span style="font-size: 11pt; font-family: Calibri;" class=""> </span><span style="font-family: Calibri;" class=""><o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; background-color: white;" class=""><span style="font-size: 11pt; font-family: Calibri;" class="">Regards,</span><span style="font-family: Calibri;" class=""><o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; background-color: white;" class=""><span style="font-size: 11pt; font-family: Calibri;" class="">Luiz</span><span style="font-family: Calibri;" class=""><o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; background-color: white;" class=""><span style="font-size: 11pt; font-family: Calibri;" class=""> </span><span style="font-family: Calibri;" class=""><o:p class=""></o:p></span></div></div><div class=""><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman'; background-color: white;" class=""><span style="font-size: 11pt; font-family: Calibri;" class="">(Pictures removed...)</span><span style="font-family: Calibri;" class=""><o:p class=""></o:p></span></div></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><span style="font-size: 9pt; font-family: Helvetica; background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">_______________________________________________</span><span style="font-size: 9pt; font-family: Helvetica;" class=""><br class=""><span style="background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">mitreid-connect mailing list</span><br class=""></span><a href="mailto:mitreid-connect@mit.edu" style="color: purple; text-decoration: underline;" class=""><span style="font-size: 9pt; font-family: Helvetica; color: rgb(149, 79, 114); background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">mitreid-connect@mit.edu</span></a><span style="font-size: 9pt; font-family: Helvetica;" class=""><br class=""></span><a href="https://urldefense.proofpoint.com/v2/url?u=http-3A__mailman.mit.edu_mailman_listinfo_mitreid-2Dconnect&d=CwMFaQ&c=imBPVzF25OnBgGmVOlcsiEgHoG1i6YHLR0Sj_gZ4adc&r=R6m41WT3w_KtulQAsSIxc_C2mwuKoWSycEMpss0QQJA&m=YoJA05euf5lY8uMCoYCMWH38IgMqk01jZ2ycHC6-GBw&s=BJSQi21OexyOoCNxbtU4fAtA1f844hO-dICE8Nc4s5c&e=" style="color: purple; text-decoration: underline;" class=""><span style="font-size: 9pt; font-family: Helvetica; color: rgb(149, 79, 114); background-color: white; background-position: initial initial; background-repeat: initial initial;" class="">http://mailman.mit.edu/mailman/listinfo/mitreid-connect</span></a><o:p class=""></o:p></div></div></blockquote></div><div style="margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: 'Times New Roman';" class=""><o:p class=""> </o:p></div></div></div></div></blockquote></div><br class=""></div></body></html>