Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-17260

Allow arg=newsession usage in authorize calls

    XMLWordPrintable

Details

    • Rank:
      1|i036pi:
    • AM Sustaining Sprint 82
    • 5
    • Yes
    • Yes and I used the same an in the description
    • 0
    • Future
    • None

    Description

      Bug description

      There are scenarios where different users will use the same device/machine/terminal to authenticate to AM using OIDC. Previously you could use prompt=login which destroyed the session, allowing the new user to login. Following changes made in OPENAM-14572, this no longer works (AM expects the same user to reauthenticate). arg=newsession would enable this scenario to continue working. 

      How to reproduce the issue

      1. Complete authorize call with User1, get an authorization code
      2. In the same browser, include prompt=login in the authorize call with User2
      Expected behaviour
      User gets an authorization code
      Current behaviour
      Error "Session upgrade fails since user is different than original authenticated user"
      

      Work around

      Using endSession if id_token is available.

      Attachments

        Issue Links

          Activity

            People

              lawrence.yarham Lawrence Yarham
              aaron.haskins Aaron Haskins [X] (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: