# |
May 11th 2021, 15:35 |
paolo.bragagni |
when I go with register if I'm in 'smartcard' it takes username from smartcard |
# |
May 11th 2021, 15:34 |
paolo.bragagni |
I'd like that user can authenticate with User and passw, smartcard or IdProvider |
# |
May 11th 2021, 15:33 |
slackebot |
<paolo.bragagni> |
# |
May 11th 2021, 15:27 |
ndm |
Again, do you provide any login "form" in your users controller's login action, or does visiting that URL automatically send visitors to your ID provider? |
# |
May 11th 2021, 15:26 |
paolo.bragagni |
hum |
# |
May 11th 2021, 15:25 |
ndm |
Boy.. that wording... |
# |
May 11th 2021, 15:24 |
ndm |
All this basically does is invoke `clearIdentity()` being called on all authenticators that do implement `\Authentication\Authenticator\PersistenceInterface`, and dispatch an `Authentication.logout` event (it also returns a redirect URL btw). If your code doesn't use neither to do any authentication, then this shouldn't really be a problem. |
# |
May 11th 2021, 15:21 |
paolo.bragagni |
reauthenticate because my (terrible) autenticate is fired |
# |
May 11th 2021, 15:20 |
paolo.bragagni |
this line $this->Authentication->logout(); |
# |
May 11th 2021, 15:19 |
paolo.bragagni |
public function logout() { $this->Authorization->skipAuthorization(); $this->Authentication->logout(); return $this->redirect(['controller' => 'Users', 'action' => 'login']); } |
# |
May 11th 2021, 15:19 |
ndm |
As we all do, learning never stops :) |
# |
May 11th 2021, 15:19 |
paolo.bragagni |
the problem is that in my Users logout action |
# |
May 11th 2021, 15:17 |
paolo.bragagni |
thanks ndm trying o learn.. :S |
# |
May 11th 2021, 15:15 |
slackebot |
"login (with xyz provider)" button or the like? |
# |
May 11th 2021, 15:15 |
ndm |
First things first, never access superglobals with CakePHP directly, always use the request object for that, and never die in your code, use graceful returns or exceptions (for redirects in authenticators you can specifically use `\Authentication\Authenticator\AuthenticationRequiredException` with a `Location` header passed to it)! Besides that, this all happens automatically I guess, ie you're not showing logged out users a |
# |
May 11th 2021, 15:08 |
paolo.bragagni |
provider response with $_GET['code'] that I use for get the user via curl |
# |
May 11th 2021, 15:05 |
slackebot |
// PCKE NON ABILITATO SU ARPA ]); header('Location: ' . $authorize_url); exit; } |
# |
May 11th 2021, 15:05 |
paolo.bragagni |
if(!isset($_GET['code'])) { $_SESSION['state'] = bin2hex(random_bytes(5)); $authorize_url = $idp->authorization_endpoint.'?'.http_build_query([ 'response_type' => 'code', 'client_id' => $client_id, 'redirect_uri' => $url1, 'state' => $_SESSION['state'], 'scope' => 'openid profile', //'code_challenge' => $code_challenge, // PKCE NON ABILITATO SU ARPA //'code_challenge_method' => 'S256', |
# |
May 11th 2021, 15:05 |
paolo.bragagni |
first time that my Authenticator is fired: |
# |
May 11th 2021, 15:02 |
ndm |
That should be what you're using irrespective of the used authenticators, yes. Can't really give too much concrete advice, without seeing that juicy code I'm only shooting in the dark here :) |
# |
May 11th 2021, 14:59 |
paolo.bragagni |
probably I have to write my logout $this->Authentication->logout(); |
# |
May 11th 2021, 14:58 |
paolo.bragagni |
BUT I cant logout |
# |
May 11th 2021, 14:58 |
paolo.bragagni |
then I can login with that user ecc ecc |
# |
May 11th 2021, 14:57 |
paolo.bragagni |
then I can register (and it gets data from provider and write in local user table) in perfect way |
# |
May 11th 2021, 14:56 |
paolo.bragagni |
:) |
# |
May 11th 2021, 14:56 |
paolo.bragagni |
my app try to autenticate and redirect to login / register view in beautiful way |
# |
May 11th 2021, 14:55 |
paolo.bragagni |
we have our identity provider and I'll get a clientid and clientsecret for each app that we'll create |
# |
May 11th 2021, 14:54 |
paolo.bragagni |
is application specific |
# |
May 11th 2021, 14:48 |
slackebot |
your app shouldn't automatically try to authenticate in the first place? |
# |
May 11th 2021, 14:48 |
ndm |
@paolo.bragagni I mean, I'm not sure, in case the identity provider keeps state, then maybe, possibly, not sure... be careful I guess, most people misunderstand how OAuth is not ment for authentication, luckily I was mostly able to avoid touching SSOs so far. I guess if it all, you'd only do that if the provider is application specific, certainly you wouldn't want to log people out of all of their apps. That being said, maybe |
# |
May 11th 2021, 14:43 |
paolo.bragagni |
(and it reauthenticates) |
# |
May 11th 2021, 14:41 |
paolo.bragagni |
it fires my authenticate method |
# |
May 11th 2021, 14:41 |
paolo.bragagni |
when I call $this->Authentication->logout(); |
# |
May 11th 2021, 14:33 |
paolo.bragagni |
thanks. probably oauth2 provider need to logout? |
# |
May 11th 2021, 14:28 |
ndm |
So you are probably best off allowing access to the logout. Why your authenticator is re-authenticating on logout (automatically I suppose?), that's not something anyone could really answer, you'd have to show the involved code. |
# |
May 11th 2021, 14:26 |
paolo.bragagni |
so... (??) |
# |
May 11th 2021, 14:26 |
ndm |
Yeah, the consistent response is a good argument, there's not really a need to fail hard on logout. The cleanup thing, I'm not too convinced, as the app's authentication should be able to handle "dirty" data when authenticating, as it cannot expect users do always gracefully logout. |
# |
May 11th 2021, 14:19 |
ndm |
@dereuromark I mean... yeah, maybe. I can't think of how such a partial logout could look like right now, but I'm it's possible :upside_down_face: |
# |
May 11th 2021, 14:15 |
ndm |
@etibor You might be lacking a dedicated `else` branch, hard to say without seeing your complete code. |
# |
May 11th 2021, 14:14 |
paolo.bragagni |
but when I logout in some way it reauthenticate |
# |
May 11th 2021, 14:13 |
paolo.bragagni |
my authenticate function is for oauth2 |