cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Thierry Beucher <>
Subject RE: Fediz IDP webflow
Date Fri, 26 Jul 2013 00:08:27 GMT
Hi Oli,

Thanks for your feedback.

Issues you have discovered :

b) If I choose realm B (redirect to remote idp happens), the wctx is used.
The form posted to the rp contains the wctx with the same value. After the
wctx has been posted to the IDP, it must be cleared.

You are right, it must be cleared. I planned to fix.

c) If you now clear the cookie with rp, you get redirected and the wctx is
still sent to the RP but empty this time.

I will check the wctx's whole lifecycle when fixing b).

d) the auto submit form is now displayed in the browser (should be disabled
by default but the option to enable it for debug purposes would be fine)

It doesn’t append on my side. I restored the old/normal behavior (fields
type=“text” to “hidden”) in the fediz-idp-2013-07-23.patch attached to
FEDIZ-3. Did you unapplied my previous intermediate patch before applying
the latest (fediz-idp-2013-07-23.patch) ? Last patch should be applied
basing on trunk.

a) If you have chosen a home realm, it is stored in a cookie for this idp
(bound to hostname and uri). If the rp defines a home realm (whr parameter
in signin request), the home realm is updated. It must not be the case, that
an application can overwrite the home realm of a user. An application can
just enforce a home realm for the login for this application but this must
not have an impact for all other applications. Therefore home realm must not
be updated.

Same remark that for d). In fediz-idp-2013-07-23.patch, I no longer add
cookie on entry of state checkIsThisIDP but now cookie is only added 1) at
showIDPList.submit transition and 2) at transition from 
processHRDSExpression but not at transition from checkWHRInSigninRequest.
Therefore home realm is not updated.

I have 2 questions back :

1.	Do you validate the tokens chain (Logging was enhanced to make it easier)
as is ?
IDP_TOKEN B  RP_TOKEN for A (obo) - - wresult - - > RP_TOKEN for A  new
IDP_TOKEN A   RP_TOKEN for Fedizhelloworld (obo) - - wresult - - > RP_TOKEN
for Fedizhelloworld (obo)

2.	Did you test also the RP freshness requirement (before and after 1 minute
of IDP token life duration : <freshness>1</freshness> in fediz_config.xml)
with local authentication and freshness requirement propagation with remote
authentication ?

I have also 1  remark of detail :

1.	On my side bob has roles user,manager,admin with profile ‘realms’, not
User,Manager,Admin. Therefore request with this user fails with Status 403
because fedizhelloworld is configured with security role User…



View this message in context:
Sent from the cxf-dev mailing list archive at

View raw message