Design notes on IDP-961 - Getting issue details... STATUS ...
The use case is having the ability to construct flows (or callouts to servlets) that leverage the IdP authentication layer and optionally the AccessControl service to protect user and admin features that require identifying a user, to control the data acted on and/or for access control to the features.
Admin functions eventually would include accessing metrics/state, checking on sessions, administrative logout, managing MFA token registrations, many others long term.
User functions include registering/managing MFA tokens, managing privacy/consent state, reviewing current application sessions (maybe, seems like a security risk to show that info, much like logout does).
Ideal
I'd rather just implement RP support and be done with it (so the IdP issues an assertion to itself), but we still don't have all the code for that yet in Java and it would take much longer than I have to spend on it to do well. I think we could work out a design that's less perfect but that we can eventually tap into later if we do the RP thing.
Interim
As a middle ground, I have a model in mind of implementing a reusable parent flow:
- Set up profile request state (usual preamble to all our flows)