Inconsistent behavior among issuers when app is unknown or unauthorized
Summary
This is the current situation when trying to access an application
issue | CAS | SAML | OIDC |
---|---|---|---|
Issuer is disabled | PE_CAS_SERVICE_NOT_ALLOWED | PE_SAML_SERVICE_NOT_ALLOWED | PE_OIDC_SERVICE_NOT_ALLOWED |
Application is unknown | PE_CAS_SERVICE_NOT_ALLOWED | PE_SAML_UNKNOWN_ENTITY/PE_SAML_ERROR (#2631 (closed)) | PE_UNAUTHORIZEDPARTNER |
Application is known, but user fails the access rule check | PE_CAS_SERVICE_NOT_ALLOWED | PE_UNAUTHORIZEDPARTNER | PE_UNAUTHORIZEDPARTNER |
Design proposition
We need to make this more consistent. My proposals:
- Issuer being disabled is good as-is
- Unknown application should return a generic error such as PE_BADPARTNER or a new PE_UNKNOWNPARTNER
- User fails the access rule check should return a generic PE_UNAUTHORIZEDPARTNER
issue | CAS | SAML | OIDC |
---|---|---|---|
Issuer is disabled | PE_CAS_SERVICE_NOT_ALLOWED | PE_SAML_SERVICE_NOT_ALLOWED | PE_OIDC_SERVICE_NOT_ALLOWED |
Application is unknown | PE_UNKNOWNPARTNER | PE_UNKNOWNPARTNER (once #2631 (closed) is fixed) | PE_UNKNOWNPARTNER |
Application is known, but user fails the access rule check | PE_UNAUTHORIZEDPARTNER | PE_UNAUTHORIZEDPARTNER | PE_UNAUTHORIZEDPARTNER |
This needs to be documented in upgrade notes so that users can update their custom messages
@guimard @clement_oudot any objections?