IMO, action tokens should be implemented correctly, as a feature, not as
an optimization to support cross-DC. This means support for one time
use policies, etc.
On 3/28/17 5:56 AM, Hynek Mlnarik wrote:
>> * Aren't action tokens supposed to be independent of User sessions
>> anyways?
>> * How can somebody continue with the login flow with an action token?
>> Aren't you still going to have to obtain the user session?
Not have to, and yes, I can make use of it to continue in the session
in progress.
I'm saying do you have to/should you verify that the action token
originated from a specific session in order to continue the session? I
don't know, just asking. These are all things you have to take into
account and figure out how to easily hide or provide through the
Authentication/Required Action SPI too.
Bill