Date Posted:
Product: TIBCO Spotfire®
Product: TIBCO Spotfire®
Problem:
TIBCO Spotfire Server 'Auth request prompt value' setting in OpenID Connect
Solution:
An Authentication request prompt value specifies whether the authorization server (TIBCO Spotfire Server) prompts the user for re-authentication and consent. Since TIBCO Spotfire OpenID Connect uses Authorization Code workflow, the possible values are none, login, consent and select_account.
Below is the information about each one of the possible values.
NONE
TIBCO Spotfire Server url login screen does not display any authentication or user consent screens; it will return an error if the user is not already authenticated and has not pre-configured consent for the requested claims.See below screenshot for your reference. You can use none to check for existing authentication and/or consent. The error code will typically be login_required, interaction_required or consent_required as below when the request can't be completed silently via Single-Sign on.
LOGIN
Login prompt will force the user to enter their credentials on that request. If it cannot re-authenticate the end-user, it MUST return an error, typically login_required. You may see the following log lines if the user is authenticated successfully.DEBUG 2020-03-18T14:41:27,882-0400 [unknown, #0, #32] server.security.AuthenticationManager: Attempting authentication using the OpenID Connect authenticator
DEBUG 2020-03-18T14:41:28,561-0400 [unknown, #0, #32] auth.oidc.TokenEndpointResponse: Performing full ID token validation (including signature verification)
DEBUG 2020-03-18T14:41:29,055-0400 [unknown, #0, #32] auth.oidc.OidcAuthenticator: Successfully authenticated the user against the OpenID Connect provider 'Google' as 'tibco.com\priyanka' (Priyanka Reddy Cherabudla)
DEBUG 2020-03-18T14:41:29,055-0400 [unknown, #0, #32] server.security.PostAuthenticationFilterImpl: Collapsing domain tibco.com into SPOTFIRE
DEBUG 2020-03-18T14:41:29,073-0400 [unknown, #0, #32] server.security.SessionUtil: Renewing the session ID
DEBUG 2020-03-18T14:41:29,079-0400 [unknown, #0, #32] server.security.CsrfFilter: Generated a new CSRF token ('43b220c3cce4...') for the session since the session ID was changed
DEBUG 2020-03-18T14:41:29,081-0400 [unknown, #0, #32] server.security.SessionUtil: Generated a new 'internal session id': a3e29d0a0a09b32bf0cc9ace60949936
DEBUG 2020-03-18T14:41:29,094-0400 [priyanka, #0, #32] server.security.SecurityFilter: The client is successfully authenticated
CONSENT
This SHOULD prompt the end-user for consent before returning information to the client. If it cannot obtain consent, it MUST return an error, typically consent_required.You may see the following log lines if the user is authenticated successfully.DEBUG 2020-03-18T14:50:11,335-0400 [unknown, #3, #32] server.security.AuthenticationManager: Attempting authentication using the OpenID Connect authenticator
DEBUG 2020-03-18T14:50:12,302-0400 [unknown, #3, #32] auth.oidc.TokenEndpointResponse: Performing full ID token validation (including signature verification)
DEBUG 2020-03-18T14:50:12,820-0400 [unknown, #3, #32] auth.oidc.OidcAuthenticator: Successfully authenticated the user against the OpenID Connect provider 'Google' as 'tibco.com\priyanka' (Priyanka Reddy Cherabudla)
DEBUG 2020-03-18T14:50:12,820-0400 [unknown, #3, #32] server.security.PostAuthenticationFilterImpl: Collapsing domain tibco.com into SPOTFIRE
DEBUG 2020-03-18T14:50:12,830-0400 [unknown, #3, #32] server.security.SessionUtil: Renewing the session ID
DEBUG 2020-03-18T14:50:12,836-0400 [unknown, #3, #32] server.security.CsrfFilter: Generated a new CSRF token ('5298f438bc94...') for the session since the session ID was changed
DEBUG 2020-03-18T14:50:12,838-0400 [unknown, #3, #32] server.security.SessionUtil: Generated a new 'internal session id': de45d25266d0070f82b9993d1d5fe29c
DEBUG 2020-03-18T14:50:12,847-0400 [priyanka, #3, #32] server.security.SecurityFilter: The client is successfully authenticated
SELECT_ACCOUNT
TIBCO Spotfire Server login screen prompts the user to select a user account. This allows a user who has multiple accounts at the authorization server to select amongst the multiple accounts that they may have current sessions for.If no value is specified and the user has not previously authorized access, then the user is shown a consent screen. Note: For information about authentication error codes such as login_required, interaction_required and consent_required, refer to the documentation of the provider and to OpenID Connect 3.1.2.6. Authentication Error Response
CUSTOM PARAMETERS
From Spotfire 10.8 onwards, we now have ability to specify custom parameters which makes it possible to use provider-specific parameters such as domain_hint (Azure AD) or hd (Google) to get a more user-friendly flow. It will usually eliminate the need to select account if you for example have both a personal account and a corporate account etc.
Doc: Advanced OpenID Connect Settings External: 3.1.2.1. Authentication Request External: Send login request External: 3.1.2.6. Authentication Error Response
Comments
0 comments
Article is closed for comments.