Explicit Authentication request is skipped if a user is logged in already (due to cookie I believe)
Hi, We have the following setup:
- Nuxeo running in an embedded iFrame, which is a part of our application
- To use out application, the user must log in to it
- To use Nuxeo, the user clicks on a dedicated button, which causes the iFrame to SSO to Nuxeo, using currently logged in user's credentials
The problem is that:
- user A logs in to our application
- user A clicks the iFrame button
- iFrame related code explicitly sends auth request with A's credentials to nuxeo/nxstartup.faces
- the auth is handed to our SSO plugin, and upon successful auth A gets into Nuxeo
- user A logs out of our application
- user B logs in to our application
- user B clicks the iFrame button
- iFrame related code explicitly sends auth request with B's credentials to nuxeo/nxstartup.faces
- —»> Nuxeo consumes the auth request, and lets user B in, while displaying user 'A' as the one being logged in; looking into server.log confirms that the auth reuest for user B never reaches our SSO plugin
Could anyone please advise on how to resolve the issue ? p.s.
- I have tried to delete the JSESSIONID cookie from within the main application code, but I cannot even see it (I think it is because our application and Nuxeo are on different domains.
- if I am not mistaken this has nothing to do with the use of an iFrame, i.e. I can reproduce by pasting the URLs the iFrame submits its requests to in a plain browser tab and get same results
That looks like a single global logout problem and depends on your SSO. For instance, with CAS, "user A logs out of our application" should imply a CAS logout. Other forms of global logout might be more complex to handle.