Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14814

Session hook PAP-like for Authentication tree for front-channel Session creation/destroy


    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 5.5.1, 6.0.0,,,,,, 6.5.0,,,, 6.5.1,, 6.5.2,,,
    • Fix Version/s: None
    • Component/s: authentication, session, trees
    • Labels:
    • Support Ticket IDs:


      Previously the custom authentication module, the Post authentication plugin provides access to the request and response of the incoming REST request. This can be used during onLoginSuccess and onLogout. When these PAP methods are run, one can still have access to the request information to say to check cookies and headers and also with the access to the response can add cookies or create new response headers to relation to the REST call to login or logout

      This usecase is not possible now with AuthTree and the WebHook like logout WebHook does not cover these above usecase as the webhook does not have access to the request and response object and is not tie to the authentication REST request flow.

      Some of the checklist for the requirement of this new hook :

      • Access to http request if logout is triggered by the user
      • Possibility to add something to the http response (as in PAP)
      • Possibility to get session state (I am not aware if it is already accessible, but it would be good to know if session was time dout or not)
      • Possibility to execute code on logout etc.(this is for another use case). say auditing or doing some special stuff that webhook cannot help (since webhook does not have front-channel access)

      The RFE is asking to have a Special Session TreeHook that may help make a PAP like life-cycle for Front-channel session trigger. The explicit logout case may be one that is currently is lacking for sessions created from AuthTrees (compared to the custom auth modules that has PAP triggers). So when one do a REST logout, it is expected that this new hook is called where it has access to the incoming request and able to also have the response to work on.

      TLDR; A mechanism where direct access to the request/response (injection) for any REST call when authenticate login or logout (much like what PAP provides) so that some extra custom code can be run (in the same request flow as the authentication request)


          Issue Links



              • Assignee:
                chee-weng.chea C-Weng C
              • Votes:
                3 Vote for this issue
                11 Start watching this issue


                • Created: