"Partial Login" strategies

[Pablo Vidaurri]

Hi, not sure exactly what this is called but I'm sure you have seen it on Amazon, Best Buy, etc. You have access to view browsing history, shopping cart, etc but when you actually click on order history, profile, etc you are prompted to log in.

So some items are viewable but once you start to interact you get prompted to login.

How does a site do something like that? I'm assuming CAS doesn't offer anything like that, correct?

[Ray Bon]

Pablo,

That kind of behaviour is in your application and has nothing to do with cas. If the application determines that a user needs to log in, then send them to cas.

Ray

On Tue, 2022-02-22 at 09:15 -0800, Pablo Vidaurri wrote:

Notice: This message was sent from outside the University of Victoria email system. Please be cautious with links and sensitive information.

Hi, not sure exactly what this is called but I'm sure you have seen it on Amazon, Best Buy, etc. You have access to view browsing history, shopping cart, etc but when you actually click on order history, profile, etc you are prompted to log in.

So some items are viewable but once you start to interact you get prompted to login.

How does a site do something like that? I'm assuming CAS doesn't offer anything like that, correct?

-- 

Ray Bon

Programmer Analyst

Development Services, University Systems

2507218831 | CLE 019 | rb...@uvic.ca

I acknowledge and respect the lək̓ʷəŋən peoples on whose traditional territory the university stands, and the Songhees, Esquimalt and WSÁNEĆ peoples whose historical relationships with the land continue to this day.

[Carl Waldbieser]

I agree with Ray that most of the heavy lifting for that scenario would be in the application.  However, what is going on is that there are different levels of access based on the session context.

So if I am able to log in simply because of a long-lived session cookie, I have access to some parts of my user data.  But to make changes or spend money, I need to have additional authorization, often in the form of a more recent authentication.

CAS can still be a component in that kind of authentication/access control decision, but the enforcement of such a policy is typically within the application.  For example, an application may allow you to view your data with a simple authentication.  But in order to modify or access your stored credit card information, you may be required to authenticate with some kind of MFA.  CAS can provide attributes that can aid the application in deciding whether or not this type of access should be granted.  But it is typically the application's responsibility to enforce that kind of access control.

Thanks,

Carl Waldbieser

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4d0192fbf57df796bb01fc65893443b1064903ce.camel%40uvic.ca.