Hi, thanks for the response!
Actually what seems to happen is that when /authorize is called, the CAS OAuth20HandlerInterceptorAdapter.preHandle() is invoked which in turn invokes the pac4j SecurityInterceptor. Eventually the org.pac4j.core.engine.DefaultSecurityLogic gets called and it checks (via DefaultAuthorizationChecker) if an active pac4j profile can be found in the session store. It seems like if I call /authorize within some time (~10min?) after a successful login to CAS, then there is an active profile in the session and the authentication & authorization is considered valid and access is granted.
However after waiting for some time, when I call /authorize, then there is no profile in the session store and eventually we end up in the MFA step.
Is anyone able to explain how this works and if there is some way to affect the profile expiration in the session store, so that the pac4j engine would NOT consider the request authorized? I suppose we would want to otherwise keep the default functionality, but for some specific oauth clients we would want MFA be triggered on EVERY request to /authorize.
I might be completely lost too, would be happy to receive some insight on this if someone is aware :)
Many thanks!
Tom
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/322d64e1-caf0-41a0-a7d9-c783b3166d4cn%40apereo.org.