Skip to content

SSO Phase 1 Task 6: prompt / max_age / per-client reauth_policy gating + V83 migration #262

Description

@ahmetabdullahgultekin

Why: Silent launch must honor OIDC prompt/max_age and a per-client re-auth policy so a high-assurance tenant is never silently bypassed.

Done when:

  • Modify OAuth2Controller.authorize to add prompt + max_age params; add entity/OAuth2Client.java field + Flyway V83__oauth2_clients_reauth_policy.sql (reauth_policy VARCHAR(16) NOT NULL DEFAULT 'silent'; values silent|step_up|always; additive, consistent with the V82 cross_tenant precedent).
  • Failing tests first: prompt=none + no usable session → RFC login_required (not the widget action blob); prompt=login → never silent; reauth_policy=step_up → step-up-required signal; max_age exceeded → not silent; reauth_policy=silent within window → mints. Gate the mint branch through satisfiesPolicy().
    NOTE: this plan's V83 number predates the shipped V83 (widen chk_enrollment_method) — pick the next free migration version at implementation time.

source: docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md:72


Migrated from docs/SSO_APP_LAUNCHER_PHASE1_PLAN.md (git history retains the original).

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions