OIDC Provider: Access to Authorization endpoint after token revoked

book

Article ID: 185532

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

Regarding the request to the authorization endpoint after the token is revoked, following are observed.

After a user was authenticated by the OpenID Connect (OIDC) Provider server side, the token was revoked explicitly.
Then the user made a request to the authorization endpoint again, the user did not get re-challenged by the OIDC Provider server.
It seems to be due to that a valid SMSESSION exists and is validated.

Question:
(1) Is this behavior as designed and expected ?
(2) If so, is it necessary to use the below option parameter for the user to be re-challenged ?
As per the docops of Authorization endpoint, the ‘prompt’ parameter exists as an option in the request parameter. By specifying ‘login’ as the value, the above behavior is avoided so that the user will be authenticated again. 

Authentication Using Authorization Code Flow / Authorization Endpoint 
- prompt
(Optional) Specifies whether Authorization Server must prompt the client for reauthentication and consent. Enter space delimited, case-sensitive ASCII string values. The following values are supported:
  login = Specifies that Authorization Server prompts the client for reauthentication. It returns an error if the reauthentication fails.

Environment

Release : 12.8.03

Component : CA Access Gateway

Resolution

Ans-(1): Yes. SMSession will not be deleted when OIDC revoke request is issued. This is expected behavior.

Ans-(2): Yes. You can try with above said parameter 'prompt' with the value 'login' for Authorization Endpoint.

Additional Information

Authentication Using Authorization Code Flow