[mitreid-connect] Re-requesting tokens

James Agnew jamesagnew at gmail.com
Fri Sep 5 10:48:48 EDT 2014


Interesting (and thanks for the reply).

> It would be dangerous and undesirable to let an RP clear the session of
the IdP automatically.

I'm curious what makes this dangerous? I definitely understand the SSO
angle, since as you point out that is one of the major benefits of using an
auth server in the first place. Our problem is that we're deploying this in
a healthcare setting with shared workstations, so we have a regulatory need
for users to click a logout button and not have someone else walk up and
get back in.

In other words, SSO is fine across multiple applications, but if they do
choose to explicitly logout it needs to also be global (and I can't imagine
we would be able to train users to go to the IdP to logout....)

Is this something you (or anyone here) has encountered before? I'm thinking
the right solution is just an iframe on the application's logout page that
loads "https://[idb base]/logout". Is there a more elegant solution?

Cheers,
James




On Fri, Sep 5, 2014 at 7:59 AM, Richer, Justin P. <jricher at mitre.org> wrote:

> This is intentional behavior, though it can be confusing if you're
> thinking in terms of a single application and session. The user's session
> at the IdP and the RP are separate from each other. In fact, this behavior
> is what allows you to do SSO-style behavior in your applications. Since the
> user still has a session at the IdP and has indicated that they want the
> IdP to not prompt them to re-log in.
>
> It would be dangerous and undesirable to let an RP clear the session of
> the IdP automatically. However, if your app wants to require the user to
> log in directly in certain situations (say, for example, you know that
> they've recently hit "log out"), you can always pass "prompt=login" in that
> situation or set a maximum session age. I would not recommend passing that
> parameter all the time because it will annoy your users if they have to log
> in to multiple applications, which is a big feature of using an IdP.
>
>  -- Justin
>
> On Sep 4, 2014, at 5:23 PM, James Agnew <jamesagnew at gmail.com> wrote:
>
> > Hello,
> >
> > Hopefully this isn't a dumb question, but let's give it a shot. I have a
> web application (let's call it Resource Server) which is secured using a
> MitreID Connect installation (let's call it Auth Server). It uses the
> standard "code" flow, and works fine.
> >
> > I need to allow the user to explicitly log out of the Resource Server.
> In the RS the user can click a logout button which clears their session and
> deletes the token. The problem is that if they try to log in again, the
> Auth Server automatically grants them a new token without asking for
> credentials, since the user still has an active session with the Auth
> Server itself.
> >
> > So my question is this- Is this a security hole? Should the Auth Server
> be clearing the user's session upon calls to "/authorize"? I'm happy to
> take a crack at implementing that (either as an optional feature or as
> default behavior) but maybe I'm missing something fundamental.
> >
> > Cheers,
> > James
> > _______________________________________________
> > mitreid-connect mailing list
> > mitreid-connect at mit.edu
> > http://mailman.mit.edu/mailman/listinfo/mitreid-connect
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.mit.edu/pipermail/mitreid-connect/attachments/20140905/c8de2e4e/attachment-0001.htm


More information about the mitreid-connect mailing list