Closed inabajunmr closed 1 year ago
The current model has problems when claims affect what users should do next. For example, if acr claim expects AAL2 and the following situations, an application can't handle it.
In this case, current AzIdP4J judges that should returns success response by redirect against this authorization request.
When the expected next action is redirect, the caller has the possibility to send a 'not' redirect response. ex. additional authentication against acr claim.
In this case, AzIdP4J doesn't want to issue any tokens because these are wasted.
In this model, caller call additional method like redirect() when response.next
is redirect, and caller wants to get redirect URL.
var response = azIdP.authorize(authzReq);
// azidp4j responses what authorization should do next.
switch (response.next) {
case redirect -> {
if (response.authorizationRequest.claims required additional authentication) {
// additional login flow
}
var redirect = response.redirect();
return "redirect:" + redirect;
}
}
But not all redirect patterns are required additional authentication(if a user doesn't have enough AAL authentication) because there are error redirect responses. So caller needs to judge whether the response is a success or not.
But it requires more complicated implementation for simple identity providers.
switch (response.next) {
case errorRedirect -> {
var redirect = response.redirect(); // or just response.redirectTo
return "redirect:" + redirect;
}
case successRedirect -> {
if (response.authorizationRequest.claims required additional authentication) {
// additional login flow
}
var redirect = response.redirect();
return "redirect:" + redirect;
}
}
This pattern doesn't require to distinguish these if the caller doesn't need this specification.
switch (response.next) {
case redirect -> {
if (response.type.equals(successRedirect) && response.authorizationRequest.claims required additional authentication) {
// additional login flow
}
var redirect = response.redirect();
return "redirect:" + redirect;
}
}
https://github.com/inabajunmr/azidp4j/pull/108/files