how to implement cancel in the authentication flow?

By: Jarkko Rantamäki user 16 Aug 2018 at 1:51 a.m. CDT

10 Responses
Jarkko Rantamäki gravatar
Hello! I'm implementing an openid connect authentication with Gluu and I have a custom application which handles the login. I am implementing the Authorization code flow with two phase authentication. What is the correct way to implement a cancel functionality in the login flow with Gluu? The login application has a "cancel" button, if the user decides to not authenticate. The desired behavior would be to redirect the user back to the relying party with an error payload saying something like: "User did not authenticate" This is similar to the Authorization code flow, where the user authenticates successfully and then gets redirected back to the relying party with an authentication code. With the cancel button I would like to do a similar redirect, but with an error payload. I have read about the LogoutAction, but my understanding is that it should be used for performing a logout for a user that has already authenticated. Is this correct or am I miss understanding something? It would be possible to do a javascript redirect directly from the login application, but this approach has a drawback in the two phase authentication. If the user decides to cancel the authentication in the second phase, the session and other intermediate state should be cleaned up, but this will not happen if I implement a javascript redirect from the UI directly. Or is there a method in the Gluu that will do this cleanup/logout if I call it from a custom script? I'm already using a custom python script to integrate gluu with the login application. What is the correct way to implement this? br, Jarkko
CentOS 7.4
closed

Answers

By Aliaksandr Samuseu staff 16 Aug 2018 at 11:59 a.m. CDT

Copy
Aliaksandr Samuseu gravatar
Hi, Jarkko. In case of custom auth script, if you need to interupt or invalidate user's authentication process from the script, it's usually done by making [authenticate() function](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/gplus/GooglePlusExternalAuthenticator.py#L85) to return "False". Then you could probably add some jscript code to the page which is dealing with "Authentication failed" error in the way you need. You can find some more info on custom scripts [here](https://gluu.org/docs/ce/3.1.3/authn-guide/customauthn/) and [here](https://gluu.org/docs/ce/3.1.3/developer-guide/script-debugging/). Examples are [here](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations).

By Michael Schwartz Account Admin 20 Aug 2018 at 1:10 p.m. CDT

Copy
Michael Schwartz gravatar
So if the user hits "cancel", why do you need to redirect to the OpenID Provider at all? I'm not following the logic. Also, if it's a mobile app, are you using AppAuth? Review this stuff: RFC 8252: Best practices for mobile SSO https://tools.ietf.org/html/rfc8252 Gluu blog on AppAuth http://www.gluu.co/appauth-blog Slides from Google on AppAuth http://www.gluu.co/best-practices-native-oauth-slides AppAuth clients * [https://github.com/openid/AppAuth-JS](https://github.com/openid/AppAuth-JS) * [https://github.com/openid/AppAuth-iOS](https://github.com/openid/AppAuth-iOS) * [https://github.com/openid/AppAuth-Android](https://github.com/openid/AppAuth-Android) The high level is : 1. use code flow (not implicit flow) 1. use PKCE 1. use custom handler (i.e myapp:// not https://) as callback 1. don't store client secret in mobile app (which can be decompiled). 1. refresh tokens are ok

By Jarkko Rantamäki user 21 Aug 2018 at 7:04 a.m. CDT

Copy
Jarkko Rantamäki gravatar
Thanks for the answers! I will try to clarify my question. We are implementing openid connect with Gluu, and we have custom web application that is integrated with Gluu and it handles the backend service calls for the authentication. When the user has passed the first phase of authentication they may choose to cancel in the second phase. In this situation I would like to make a redirect from Gluu to the relying party with an error payload. We just realized that the ConsentGathering step in Gluu does exactly what I'm trying to achieve. When user cancels/denies the consent, Gluu performs a redirect to the relying party with error, error_description and state. This happens at least with the ConsentGatheringSample.py. https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/authz/ConsentGatheringSample.py Can this action be performed from the first phases of the authentication? From this script for example: https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/basic/BasicExternalAuthenticator.py Consent gathering step already requires the user to be authenticated, so it would be difficult to use. The links you posted are related to authenticating from a mobile client, but I did not understand how they apply in our use case, since we are implementing the openid provider. Best regards, Jarkko

By Michael Schwartz Account Admin 21 Aug 2018 at 12:11 p.m. CDT

Copy
Michael Schwartz gravatar
That's an interesting request, but right now I think you're only option is to fail in step 2. I'll inquire with a developer about it. And if you want, you could make a [feature request on oxAuth](https://github.com/GluuFederation/oxauth/issues) Also, if you had a support contract, you're feature requests would have more priority.

By Jarkko Rantamäki user 22 Aug 2018 at 7:47 a.m. CDT

Copy
Jarkko Rantamäki gravatar
After some tinkering, I think I found a solution. It is possible to make the method call to invoke the authorizeAction.permissionDenied from the other phases of the authentication. This performs the redirect to the relying party. As in here with the commandlink: https://github.com/GluuFederation/oxAuth/blob/master/Server/src/main/webapp/authorize.xhtml Is there any reason why this would be a bad idea or not advisable? br, Jarkko

By Michael Schwartz Account Admin 22 Aug 2018 at 12:30 p.m. CDT

Copy
Michael Schwartz gravatar
Good question... you're stumping me. Yuriy?

By Yuriy Movchan staff 22 Aug 2018 at 2:05 p.m. CDT

Copy
Yuriy Movchan gravatar
From my point of view it's easier to replace error.xhtml and put inside it code to submit payload to your RP. You can put customized file to: `/opt/gluu/jetty/oxauth/custom/pages/error.xhtml` Also in your custom script instead of return False from authentication method you can simply do redirect to RP. Here is example: ``` facesService = CdiUtil.bean(FacesService) facesService.redirectToExternalURL(url) ```

By Rui Engana Account Admin 16 Aug 2020 at 1:12 p.m. CDT

Copy
Rui Engana gravatar
I am also interested in this feature. User might select Gluu for SSO but for some reason needs to cancel before proceeding with authentication.

By Rui Engana Account Admin 17 Aug 2020 at 2:30 a.m. CDT

Copy
Rui Engana gravatar
For future reference. I resolved this issue by adding below code to custom login.xhtml ``` <a href="#{authorizeAction.redirectUri}#error=access_denied&amp;error_description=User%20cancelled&amp;state=#{authorizeAction.state}">Cancel</a> ``` NOTES: I haven't found out a way to hide the cancel button when login directly via oxTrust.

By Michael Schwartz Account Admin 17 Aug 2020 at 11:01 a.m. CDT

Copy
Michael Schwartz gravatar
oxTrust is for admins only.

Post an answer