OpenID Client & default / oxTrust ACR

By: Cu kal user 27 Feb 2020 at 12:22 p.m. CST

3 Responses
Cu kal gravatar
I'm running 3.1.6 and going to upgrade to 4.0.1 if possible. In 3.1.6 I defined an OpenID client to use with Apache mod_openidc as described in the docs. With that config I could login to /myappplication and also in the oxtrust /identity/ app. In case of going to /identity/ I would see the logged-in user's profile. I can no longer do that in 4.0.1 unless I set the Manage Authentication default acr & oxTrust acr to the same value. With 3.1.6 I could set them to different values and was able to go from /myapplication to /identity but now I get prompted to login in again. Is this behaviour as-expected or do I need to change specific settings to get the same behaviour in 4.0.1 as in 3.1.6?
Gluu 4.0 CentOS 7.0
closed

Answers

By Cu kal user 27 Feb 2020 at 12:46 p.m. CST

Copy
Cu kal gravatar
I think I fixed it by setting the "Level" for both custom scripts to "100".

By Aliaksandr Samuseu staff 27 Feb 2020 at 12:58 p.m. CST

Copy
Aliaksandr Samuseu gravatar
Hi, Cu kal. You need to perceive oxTrust as just another app that uses oxAuth for authentication. That's correct - each auth method has its own Level value. If you already have a session at oxAuth which was created with auth method with Level 10, and start a flow from another app that requests another auth method with Level 20 - oxAuth will invalidate current session and ask you to authenticate again. That's by design - apps that require more secure auth methods won't use SSO session that was established with less secure method.

By Cu kal user 27 Feb 2020 at 1:14 p.m. CST

Copy
Cu kal gravatar
Hi Aliaksandr, thanks for your reply, it really does clear up the Level value for me. Great to know something like that is possible!

Post an answer