Skip to content
This repository has been archived by the owner on Oct 24, 2020. It is now read-only.

Handle Revoking Consent on CAS side #10

Open
rkorn86 opened this issue Aug 17, 2015 · 6 comments
Open

Handle Revoking Consent on CAS side #10

rkorn86 opened this issue Aug 17, 2015 · 6 comments
Labels
help wanted needs feedback question

Comments

@rkorn86
Copy link

rkorn86 commented Aug 17, 2015

As there is no login.vm displayed, but we have the CAS login theme, there should be some way to let the user revoke their release attribute grants on CAS side.
So first there should be some UI on the CAS Login Page, like the checkbox defined in shibboleth' login.vm

              <div class="form-element-wrapper">
                <input id="_shib_idp_revokeConsent" type="checkbox" name="_shib_idp_revokeConsent" value="true">
                #springMessageText("idp.attribute-release.revoke", "Clear prior granting of permission for release of your information to this service.")
              </div>

And second there should be some worker, setting a request param for shibboleth, so that this decision flow from system/flows/intercept/attribute-release-flow.xml is executed.

    <!-- If consent revocation was requested, skip reading from storage. -->

    <decision-state id="TestForRevokeConsent">
        <if test="opensamlProfileRequestContext.getSubcontext(T(net.shibboleth.idp.consent.context.ConsentManagementContext), true).getRevokeConsent()"
            then="RevokeConsent" else="ReadConsentFromStorage" />
    </decision-state>
@mmoayyed
Copy link
Contributor

All of the changes you describe relate to either CAS or Shib. There is nothing for this plugin to do.

@rkorn86
Copy link
Author

rkorn86 commented Aug 17, 2015

The work to be done on this plugin is to set ExternalAuthentication.REVOKECONSENT_KEY based on the users checkbox (which is not existing yet) setting on CAS side in a new class implementing CasToShibTranslator like request.setAttribute(ExternalAuthentication.REVOKECONSENT_KEY, authenticatedPrincipalWantsToRevokeConsent);
Do get this done, an upgrade to IdP 3.2.0 is required. See also on http://svn.shibboleth.net/view/java-identity-provider/trunk/idp-authn-api/src/main/java/net/shibboleth/idp/authn/ExternalAuthentication.java?view=markup#l64

@rkorn86
Copy link
Author

rkorn86 commented Aug 18, 2015

@mmoayyed Could you please reopen the issue?

@mmoayyed mmoayyed reopened this Aug 18, 2015
@rkorn86
Copy link
Author

rkorn86 commented Aug 18, 2015

While doing some hardcoded tests with request.setAttribute(ExternalAuthentication.REVOKECONSENT_KEY, true) inside a translator and an updated dependency on idp 3.2.0-SNAPSHOT, I only get a blank page hanging on https://idp.example.com/idp/Authn/ExtCas?conversation=e1s1&ticket=ST-XXX. When setting ExternalAuthentication.REVOKECONSENT_KEY to false, everything works fine like before on old IdP dependent version.

@lmaylein
Copy link

Same problem here (we have our own external authentication module). Blank page and no hint in the logs. Are there any news/tipps?

@mmoayyed
Copy link
Contributor

You may want to discuss this on the shib-dev mailing list.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
help wanted needs feedback question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mmoayyed @rkorn86 @lmaylein