oltu-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tiburtius, Ashwanth [IWD]" <Ashwanth.Tiburt...@iwd.iowa.gov>
Subject RE: Force re-authentication
Date Wed, 22 Apr 2015 16:54:39 GMT
Hi Stein,

Really appreciate your response. It was quite precise.

I have a quick question, there are many web applications that lets you use gmail or facebook
login to authenticate yourself. If OAuth doesn’t support re-authentication, how does the
applications ensure that it is the same user that it is interacting with. Could be an issue
with privacy or sensitive data. May be OAuth is not meant to solve this problem yet. I am
just trying to see what is the solution. Some of my colleagues have used OpenID but Google
has deprecated it, so I am not sure if that is the right approach either. A little perplexed
and frustrated since I had been working on this for a while now. ☹

Iowa Workforce Development – IT | 1000 E Grand Ave, Des Moines, IA  50319
(515) 281-3378 | Ashwanth.Tiburtius@iwd.iowa.gov<mailto:Ashwanth.Tiburtius@iwd.iowa.gov>

From: Stein Welberg [mailto:stein@onegini.com]
Sent: Wednesday, April 22, 2015 12:39 AM
To: user@oltu.apache.org
Cc: Jasha Joachimsthal
Subject: Re: Force re-authentication

Hi Jude,

Oltu does not support such a scenario because the scenario you are describing is not part
of the OAuth specification nor does it have anything to do with it :-). There are specifications
to revoke an access token [1], as you already found out google allows you to do this. However,
it does not enforce the scenario you are looking for. I’m afraid you have to look for something
else because this is not standardised and therefore all providers have chosen a different

I’m afraid you are on your own on this.

[1] https://tools.ietf.org/html/rfc7009

Met vriendelijke groet / Kind regards,

Stein Welberg | CTO


M: +31639110574 | stein@onegini.com<mailto:stein@onegini.com> | Pompmolenlaan 9, 3447
GK, Woerden | www.onegini.com<http://www.onegini.com/>

On 21 Apr 2015, at 23:07, Tiburtius, Ashwanth [IWD] <Ashwanth.Tiburtius@iwd.iowa.gov<mailto:Ashwanth.Tiburtius@iwd.iowa.gov>>

Hi all,

I m using Apache Oltu as OAuth library to authenticate users against Google, Yahoo and Microsoft.
It has worked great. Within my application I need to ask the user to re-authenticate themselves
before accessing certain pages. This is what I have found so far on this topic.

Google – lets you revoke access token using “https://accounts.google.com/o/oauth2/revoke?token=”.
But this doesn’t force re-authentication by password entry but displays only the consent
screen again.
Yahoo – has no support for this. We have to log the user out using something like https://login.yahoo.com/config/login?logout=1.
Microsoft – has url “https://login.live.com/oauth20_logout.srf?client_id=CLIENT_ID&redirect_url=REDIRECT_URL”
to support this behavior. I am in the process of testing it.

Does Oltu have any apis related to this functionality? Has any open tried to implement this?
Any help is much appreciated. Thank you.


View raw message