Authentication popup when no display parameter is requested

By: Sergio Plasencia user 03 Dec 2015 at 3:29 a.m. CST

9 Responses
Sergio Plasencia gravatar
Hi, We are having a wrong behaviour with OpenID Connect authentication. Normally, a full page is shown but sometimes (I think it only happnes when the session times out) instead of a full page, a popup is shown. We are looking after a consisten behavior and this is quite annoying. We have modified the oxAuth config to set only page display mode: "displayValuesSupported":[ "page" ], But it still happens. We have captured the request and it does not use the display parameter at all. Following the specification (http://openid.net/specs/openid-connect-core-1_0.html), the page mode should be the default when no specific parameter is used in the request. I think this is a bug. We are using latest 2.4 version.
None
closed

Answers

By Mohib Zico staff 03 Dec 2015 at 3:43 a.m. CST

Copy
Mohib Zico gravatar
Hi Sergio, Can you capture stack trace? Do you have similarity with [this](https://github.com/GluuFederation/oxAuth/issues/90) issue?

By Sergio Plasencia user 03 Dec 2015 at 3:43 a.m. CST

Copy
Sergio Plasencia gravatar
We have also tried the following option in mod_auth_openidc: OIDCAuthRequestParams display=page&prompt=none The Request URL is now: https://development-devops-gluu-0.virdata.com/oxauth/seam/resource/restv1/oxauth/authorize?response_type=id_token&scope=openid%20virdata&client_id=%40%21DC26.BE76.0A9B.522A%210001%21A55A.4B79%210008%21A326.63D6&state=2pWurHuyWzba-BDRD2hfdTWXf9w&redirect_uri=https%3A%2F%2Fcrm.lab.com%2Ffake_redirect_uri&nonce=FZgeRFwcKgoEagcppjVGVYqtqoDafW8w0gWo72PJKWs&display=page&prompt=none But still we have the same behaviour as you can see if you try to follow the url
Video or screenshot link

By Sergio Plasencia user 03 Dec 2015 at 3:47 a.m. CST

Copy
Sergio Plasencia gravatar
This is what we get in oxauth.log when visiting the URL: 2015-12-03 09:46:25,646 TRACE [org.xdi.oxauth.service.SessionIdService] Found session_id cookie: '97e7b1ce-5815-4e48-aaec-ce85dd19f798' 2015-12-03 09:46:25,648 TRACE [org.xdi.oxauth.auth.AuthenticationFilter] Process Session Auth, sessionId = 97e7b1ce-5815-4e48-aaec-ce85dd19f798, requireAuth = true 2015-12-03 09:46:25,648 DEBUG [org.xdi.oxauth.model.error.ErrorResponseFactory] Looking for the error with id: invalid_client 2015-12-03 09:46:25,648 DEBUG [org.xdi.oxauth.model.error.ErrorResponseFactory] Found error, id: invalid_client

By Mohib Zico staff 03 Dec 2015 at 3:56 a.m. CST

Copy
Mohib Zico gravatar
Yeah... it's a bug. Let's follow in github [issue](https://github.com/GluuFederation/oxAuth/issues/90).

By Sergio Plasencia user 03 Dec 2015 at 4:02 a.m. CST

Copy
Sergio Plasencia gravatar
We are not sure about this happening in the same conditions as on https://github.com/GluuFederation/oxAuth/issues/90 We have cleared the browser cache and now it shows only the full page. But we are still not sure if it's solved. If login page was cached as a popup is because at some point Gluu was sending the wrong login page (we have never sent request parameter popup). We will do more tests.

By William Lowe user 03 Dec 2015 at 9:48 a.m. CST

Copy
William Lowe gravatar
Sergio, I'm going to leave this ticket open so that you can report your findings. We look forward to hearing your report. Thank you!!

By Sergio Plasencia user 03 Dec 2015 at 9:58 a.m. CST

Copy
Sergio Plasencia gravatar
OK, thanks. I will update accordingly

By Sergio Plasencia user 04 Dec 2015 at 4:01 a.m. CST

Copy
Sergio Plasencia gravatar
An update on our findings. After clearing the cache it was showing the full page for a while but now is showing the popup again. We believe in our case it happens when the session timesout. We are only testing with one application.

By Mohib Zico staff 22 Dec 2015 at 7:16 a.m. CST

Copy
Mohib Zico gravatar
We are going to release 2.4.1 soon. It has this fix.

Post an answer