[aerogear-dev] [AG security] Handling mutliple login flows for the same user

[Sebastien Blanc]

Hi Folks,
I started this thread to figure out how to handle a particular situation.
Currently when we log in into an application using ag-security-pl (and
implicitly through picketlink) and the user was already logged in,  we get
a "UnexpectedCredentialException".
The Aerogear Controller Demo, for example, handle this exception by
displaying an error page telling : "user already logged in, maybe you
should log out".

But I was really thinking of where relies the responsibility of handling
this very common use case (the same is applicable for the "register" flow) :
I have user Bob who has his *Device A* and* B* using Application *SlackerApp
* :

- He logs into *SlackerApp* with *Device A*.
- While still logged in with *Device A*, he logs into *SlackerApp* with *device
B* (for a concrete example think of Bob using twitter on his laptop when
working and his mobile when he is at the bathroom).

In this situation, the log in flow for *Device B* will have to handle a *
UnexpectedCredentialException*, I see 3 situations for handling this :

- *SlackerApp *handle the exception : - by swallowing it and returns a
successful log in status, - throwing a error page (which can be strange for
Bob who wants to use his app on device B)
-* AG security* handle the exception : - by swallowing it and returns a
successful log in status, -throwing a http status
- *PicketLink *handle the exception : - by swallowing it and returns a
successful log in status, -throwing a http status

I'm just wondering what is the best way to handle this

Seb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/aerogear-dev/attachments/20130318/50894fa5/attachment.html