You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Both tokens for the AS "ProductIDP" and AS "ExternalIDP" should be updated/renewed, so a single tokenrefresh triggered from the RP to the AS ProductIDP will not be sufficent as the "ExternalIDP" token will not be refreshed until it is outdated
Here is the use case in detail:
####
Silent-Relogin
####
max_age=0
+-----------+ Client Identifier +- -------------+ +---------------+
| -+----(A)-& Redirection URI ---->| | | |
| User- | & User re-authenticates | Authorization | | Authorization |
| Agent | | Server | | Server |
| | | |<-(a')Authorization-Code-Flow--->| |
| -+----(B)-- Authorization Code ---<| ProductIDP | | ExternalIDP |
+--|----|---+ | | Client | |
| | | | product-idp | |
| | +---------------+ +---------------+
| | ^ v
(A) (C) | |
| | | |
^ v | |
+ -----------+ | |
| |>--(C)-- Authorization Code ---------' |
| Client | & Redirection URI |
| | |
|main-product|<--(D)----- Access Token -------------------'
+------------+ (w/ Optional Refresh Token)
(A/B) UserAgent initiates a new reloging on the Client. Client is passing the parameter "max_age=0" to the AS "ProductIDP". User re-authenticates automatically (using session cookies)
(a')Based on the max_age=0 param, AS ProductIDP initiates a silent reloging on the AS ExternalIDP (with normal auth-code flow)
(B)/(C)/(D) normal Authorization Code Flow steps
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
There is a use case to fullfil a "silent-relogin" (like https://auth0.com/docs/authenticate/login/max-age-reauthentication#max_age-authentication-request-parameter). This means a user is alread successfully authenticate but should trigger a new login flow.
Note that
Here is the use case in detail:
We use this pattern already with https://github.com/auth0/express-openid-connect as RP.
There is a fork which demonstrates a running example of the silent relogin using express-openid-connect and two Keycloak realms:
We would like to use the same strategy using mod_auth_openidc.
Is a silent relogin supported and if yes, how can we configure the silent-relogin case?
Beta Was this translation helpful? Give feedback.
All reactions