Explicit Authentication request is skipped if a user is logged in already (due to cookie I believe)

Hi, We have the following setup:

  • Nuxeo running in an embedded iFrame, which is a part of our application
  • To use out application, the user must log in to it
  • To use Nuxeo, the user clicks on a dedicated button, which causes the iFrame to SSO to Nuxeo, using currently logged in user's credentials

The problem is that:

  • user A logs in to our application
  • user A clicks the iFrame button
  • iFrame related code explicitly sends auth request with A's credentials to nuxeo/nxstartup.faces
  • the auth is handed to our SSO plugin, and upon successful auth A gets into Nuxeo
  • user A logs out of our application
  • user B logs in to our application
  • user B clicks the iFrame button
  • iFrame related code explicitly sends auth request with B's credentials to nuxeo/nxstartup.faces
  • —»> Nuxeo consumes the auth request, and lets user B in, while displaying user 'A' as the one being logged in; looking into server.log confirms that the auth reuest for user B never reaches our SSO plugin

Could anyone please advise on how to resolve the issue ? p.s.

  • I have tried to delete the JSESSIONID cookie from within the main application code, but I cannot even see it (I think it is because our application and Nuxeo are on different domains.
  • if I am not mistaken this has nothing to do with the use of an iFrame, i.e. I can reproduce by pasting the URLs the iFrame submits its requests to in a plain browser tab and get same results
0 votes

0 answers

2175 views

ANSWER

That looks like a single global logout problem and depends on your SSO. For instance, with CAS, "user A logs out of our application" should imply a CAS logout. Other forms of global logout might be more complex to handle.
11/29/2016