Open mkutouski opened 9 months ago
OIDC authentication is working with both Nginx and Apache.
But the de-authentication is another matter. On logout, Sunstone is resetting only its cookies, so a user is still authenticated via OIDC after signing out from Sunstone. Also when the OIDC cookie expires, the reverse proxy is trying to redirect the user to the OIDC login to re-authenticate, but that is not handled in Sunstone - an error is thrown instead like "can't connect to server". A page refresh (via F5 on the browser) returns the OIDC login.
A monkey patching of main-dist.js resolves both issues, but having a proper upstream solution would be greatly appreciated.
As a bonus wish - support multiple OIDC providers. not only a single email stored in the password field ;)
The Sunstone/FireEdge remote authentication method only handles the authentication of the user at the time of login. Authentication of the remote ticket is a complementary setup, which can rely on Apache/Nginx for OIDC (confirmed! thanks), following the same procedure that if we're using SAML.
Following the de-authentication issue after logout() and cookie destruction/reset or session expiration, we're considering to implement a Sunstone/FireEdge Initiated Logout ASAP. For this case, we will consider that FireEdge will be responsible for initiation of internal security context (security session) destruction (i.e., logout the user). After this, we will redirect the user agent to the IdP logout endpoint URL defined in the current OIDC Session Management Spec fixing and closing the process :)
Description
The Sunstone/FireEdge remote authentication method only handles the authentication of the user at the time of login. Authentication of the remote ticket is a complementary setup, which can rely on Apache/Nginx for OIDC (confirmed! thanks), following the same procedure that if we're using SAML.
Following the de-authentication issue after logout() and cookie destruction/reset or session expiration, we're considering to implement a Sunstone/FireEdge Initiated Logout ASAP. For this case, we will consider that FireEdge will be responsible for initiation of internal security context (security session) destruction (i.e., logout the user). After this, we will redirect the user agent to the IdP logout endpoint URL defined in the current OIDC Session Management Spec fixing and closing the process
Progress Status