Closed aliaksander-samuseu closed 10 months ago
@aliaksander-samuseu I'm not able to reproduce this issue.
I've installed latest 4.5.2 here https://yuriyz-dominant-ape.gluu.info/.well-known/openid-configuration (please find pem in bot chat if you need ssh)
First I've hit simple_password_auth
which has level 0
https://yuriyz-dominant-ape.gluu.info/oxauth/restv1/authorize?client_id=1001.5d97240f-3fd8-4ec7-8f90-57cd7405d924&redirect_uri=https%3A%2F%2Fyuriyz-dominant-ape.gluu.info%2Fidentity%2Fauthcode.htm&response_type=code&scope=openid+profile+email+user_name&nonce=29effc4d-99e9-42cf-8352-f1d969007d5a&state=5aee1e16-1956-4d18-be54-602ab9259170&acr_values=simple_password_auth
basic
which has level 10
(higher)
https://yuriyz-dominant-ape.gluu.info/oxauth/restv1/authorize?client_id=1001.5d97240f-3fd8-4ec7-8f90-57cd7405d924&redirect_uri=https%3A%2F%2Fyuriyz-dominant-ape.gluu.info%2Fidentity%2Fauthcode.htm&response_type=code&scope=openid+profile+email+user_name&nonce=29effc4d-99e9-42cf-8352-f1d969007d5a&state=5aee1e16-1956-4d18-be54-602ab9259170&acr_values=basic
Login screen appears which is exactly what we expect. Can you give steps on that VM to reproduce issue ?
Closing as not reproducible. @aliaksander-samuseu please re-open if you will be able to reproduce on VM above.
Hi, @yuriyz Sorry for not answering earlier, I missed the notification in my box. I've got access to the Gluu Server instance you deployed (could you make sure it will stay for a bit longer, in case we need to test it further), and was able to reproduce the issue.
Here is what I did:
https://yuriyz-dominant-ape.gluu.info
url - as "basic" is set as default method, in trace you may see how at some point oxAuth adds "acr_values=basic" to authz request; login as requested (session is created at that point)No login page for me at step 5, it immediately sends me back to oxTrust with the code
@aliaksander-samuseu issue is fixed in 4.5.3 and master. I've updated VM. Would you please test it and confirm all is good ?
Closing as fixed.
Describe the issue
When user already has session at oxAuth, if a new authz request arrives requesting for an auth method of a higher priority (represented by "Level" property of its person authentication script), they are not requested to re-login as it was done before, and just issued the tokens (SSO)
Preconditions
Steps To Reproduce
https://your.gluu.server/oxauth/restv1/authorize?response_type=code&scope=openid+email+address+profile+username+cognizant+offline_access&client_id=XXXX-XXXX-XXXX&state=hVCBnAfO546jV6IBzdHowr80UjI&redirect_uri=https://some.host/some/redirect_uri&nonce=6RLUGm0O6EO63oqleJIu8rET4wuicTRXFVQySSxRkoo&acr_values=passport_saml
Expected behavior
User is presented with login page at step 4, as "passport_saml" auth method has greater "level" than "basic"
Actual behavior
User is sent back to redirect_uri with the authz code. Attached are oxauth.log and HAR file taken during the step 4 in my test setup. acr_values_relogin.zip