On 12/11/2013 4:01 PM, Bill Burke wrote:
On 12/11/2013 2:27 PM, Stian Thorgersen wrote:
> I added a cancel button to the login form. It results in a redirect to
"<redirect_uri>?error=access_denied".
>
> Problem with it is that it doesn't make sense for all applications to have it.
This mainly applies to applications that require a login, for example the admin console.
Question is what do we do for those? Some alternatives:
>
This is not a problem IMO. Let the application decide how it wants to
handle a cancel.
I think there should still be some default behavior. I'm
thinking about
the case where an application was written without any security in mind.
You just have this unsecured app that you want to hide behind SSO. That
application wouldn't know what to do.
> * Add an optional query param to login that disables it (.../tokens/login?nocancel)
> * Add a config option to the app that's set through admin console
> * Leave it and make the app show a sensible error message - "You're required
to login blah blah, click here to login"
>
or
* redirect to "<redirect_uri>?error=cancelled"
or
* redirect to "<redirect_uri>?cancelled=true"
or from openid connect
* redirect to "<redirect_uri>?error=interaction_required"
Admin console would see this and just redirect back to the login page.