My application is configured to get the access_token from the authorization code sent by the IDP. Below is the flow:
- I request an organization application(sp).
- Organization application redirects me to the IDP login page, Here I enter the username and password.
- After successful authentication, IDP redirects me to the organization application URL with auth code appended in the request param.
- Now organization application saves this code in the application session and then gets the access_token using the auth code provided by IDP.
- if I again request the organization application(SP), the application checks if the session has the auth code, and if it has, it will not redirect me to the IDP login page to get the auth token. This is how the application works in the context of login.
Now if the session expires, and we request the organization application, this time application directly redirects me to the IDP to get the authorization code, without a username and password.
My question is how this magic is happening, How does it get the user info from my browser? I thought it might be using cookies to get user info, but after deleting all cookies from the browser, it could still get auth code without asking me to put username and password.
From where it is getting the user information? I tried it with chrome and edge browsers and the result is the same for both.
Using the PingFederate for IDP.
The IDP (or authorization server, or both, depending on the exact setup) issues a session cookie after the user authenticates. If you perform an RP initiated logout, or clear all IDP cookies, this force a re-login.
If the IDP session cookie remains valid, the user will not be prompted for credentials the next time they are redirected to authenticate. Eg if the application session / token lifetime is shorter than the IDP session time.
Often this is best resolved by configuring the app's refresh token and IDP session time to be the same. Applications can also send the OpenID Connect prompt=none parameter at any time to force re-authentication.