Closed ar2rsawseen closed 4 years ago
panva
commented
4 years ago @ar2rsawseen there is no such thing that you probably have in mind.
Using certified OIDC Authorization Server you ought to be able to silently check if "it's the same user" by triggering an authorization request with the following parameters prompt=none&id_token_hint=<previously received id_token>. This will either result in a new tokenset (or not if you also add response_type=none if supported by the AS) or an error.
panva
commented
4 years ago Please consider supporting the library if it provides value to you or your company and this was helpful to you. Supporting the library means, amongst other things, that such support will be available in the future.
ar2rsawseen
commented
4 years ago My other idea was to get access_token and use it to fetch user info, and if I can't, that could mean the user is not in the ID provider system anymore or simply needs access_token refresh, which in both cases would force reauthentication.
Is it abusing the system? or it could be a valid solution too?
panva
commented
4 years ago Access Tokens, same as sessions on the OP expire. You're bound to run into errors caused by other factors than what you're looking for in either case.
ar2rsawseen
commented
4 years ago it seems your example of revalidation works perfectly leaving it here for others to see too
var url = clitn.authorizationUrl({
scope: 'openid email profile',
response_mode: 'form_post',
response_type: 'none',
prompt: "none",
id_token_hint: previous_id_token
});
Hello, I am using ID token flow and the authentication part works great and without hiccups. I can authenticate the user and then use my own session management.
But what I would want to do is to be able to recheck if user still belongs or have an account at ID provider. And if not, then log the user out or use some kind of other measures.
I can simply re-authenticate users, but that usually involved confirming credentials and Sign-in screen in the ID provider portal.
Is there any way to verify user existence in the ID portal without that? Something behind the scenes, like revalidating ID token? Or maybe that's the only way and such flow is not part of OIDC?