We've had reports that users expect the force_provider_authentication setting to always require device authentication during login. That's not the case, it instead forces a token refresh during login, which fails if the user does not have the necessary permissions in the identity provider. That is documented in the comment in the broker.conf file:
|
## This works by forcing a token refresh during login, which fails if the |
|
## user does not have the necessary permissions in the identity provider. |
but it's not documented in https://documentation.ubuntu.com/authd/edge-docs/howto/configure-authd/#force-remote-authentication-with-the-identity-provider.
We should also consider whether the name is misleading and whether there is a better name for the setting (force_provider_permission_check?). See also the previous discussion.
We've had reports that users expect the
force_provider_authenticationsetting to always require device authentication during login. That's not the case, it instead forces a token refresh during login, which fails if the user does not have the necessary permissions in the identity provider. That is documented in the comment in thebroker.conffile:authd/authd-oidc-brokers/conf/variants/oidc/broker.conf
Lines 16 to 17 in 6ebaca8
but it's not documented in https://documentation.ubuntu.com/authd/edge-docs/howto/configure-authd/#force-remote-authentication-with-the-identity-provider.
We should also consider whether the name is misleading and whether there is a better name for the setting (
force_provider_permission_check?). See also the previous discussion.