cxf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Wulff (JIRA)" <>
Subject [jira] [Commented] (FEDIZ-20) IDP should maintain authentication state
Date Mon, 01 Oct 2012 09:07:07 GMT


Oliver Wulff commented on FEDIZ-20:

The IDP first requests a token from the STS for the successful authentication. Then this token
is stored in the session. For every RP (application) token it requests a new token on-behalf-of
the cached token.

You can configure the cache time in the init parameter 'token.internal.lifetime'. Default
2 hours.

I've raised FEDIZ-28 to logout/terminate the session with the IDP.
> IDP should maintain authentication state
> ----------------------------------------
>                 Key: FEDIZ-20
>                 URL:
>             Project: CXF-Fediz
>          Issue Type: Improvement
>          Components: IDP
>    Affects Versions: 1.0.0
>            Reporter: Juan Manuel CABRERA
>            Assignee: Oliver Wulff
> The IDP relies on the browser to cache the end user's credentials (classical way to work
for a HTTP Basic authentication).
> So in the IDP there is no way to kill a end user session without killing the browser.
> The IDP should maintain these credentials (or better : the proof that these credentials
were checked at some point - i.e. a token).
> If for instance this token is stored in the HTTP session, the IDP will then be capable
of removing it from the session, effectively killing the authentication and forcing the end
user to enter again his credentials.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message