Nuxeo running in an embedded iFrame, which is a part of our application
To use out application, the user must log in to it
To use Nuxeo, the user clicks on a dedicated button, which causes the iFrame to SSO to Nuxeo, using currently logged in user's credentials
The problem is that:
user A logs in to our application
user A clicks the iFrame button
iFrame related code explicitly sends auth request with A's credentials to nuxeo/nxstartup.faces
the auth is handed to our SSO plugin, and upon successful auth A gets into Nuxeo
user A logs out of our application
user B logs in to our application
user B clicks the iFrame button
iFrame related code explicitly sends auth request with B's credentials to nuxeo/nxstartup.faces
--->>> Nuxeo consumes the auth request, and lets user B in, while displaying user 'A' as the one being logged in; looking into server.log confirms that the auth reuest for user B never reaches our SSO plugin
Could anyone please advise on how to resolve the issue ?
p.s.
I have tried to delete the JSESSIONID cookie from within the main application code, but I cannot even see it (I think it is because our application and Nuxeo are on different domains.
if I am not mistaken this has nothing to do with the use of an iFrame, i.e. I can reproduce by pasting the URLs the iFrame submits its requests to in a plain browser tab and get same results
That looks like a single global logout problem and depends on your SSO. For instance, with CAS, "user A logs out of our application" should imply a CAS logout. Other forms of global logout might be more complex to handle.
