Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

ToU consent broken in combination with multiple languages

Description

Let's assume we want to configure a single ToU statement and we would like to present it in multiple languages, depending on the user's browser settings.

For such a multi-lingual scenario, the current v3.3 configuration capabilities have two major limitations:

a) The key for the hash is based on the .text property and that results in different hashes when multiple languages need to be supported!

b) It is currently not possible to configure some other value than '.text' to be used as key
in the user configuration (${idp.home}/conf).

Although the class net.shibboleth.idp.consent.logic.impl.MessageSourceConsentFunction
would allow to set a different suffix, neither the system configuration (${idp.home}/system)
nor the user configuration (${idp.home}/conf) allow to set a different suffix.

We propose to fix this in the system configuration, e.g. as follows in
${idp_home}/system/flows/intercept/terms-of-use-beans.xml:

{{ <bean id="TermsOfUseConsentFunction"
class="net.shibboleth.idp.consent.logic.impl.MessageSourceConsentFunction"

  • p:consentKeyLookupStrategy-ref="shibboleth.consent.terms-of-use.Key" />
    + p:consentKeyLookupStrategy-ref="shibboleth.consent.terms-of-use.Key"
    + p:consentValueMessageCodeSuffix=".text" />
    %{idp.consent.terms-of-use.consentValueMessageCodeSuffix:.text}
    }}

And additionally in ${idp_home}/conf/idp.properties:

{{+# Suffix of the message property to be used as key to store the consent.
+# Default is to use the text that is shown to the user.
+#idp.consent.terms-of-use.consentValueMessageCodeSuffix = .text
}}

As a current workaround we introduced a new .html property (see below), but it would be more straightforward to make the property configurable that gets used for the key, e.g. .version.

We adapted the following in consent-intercept-config.xml:

{{<alias alias="shibboleth.consent.terms-of-use.Key" name="shibboleth.SingleTermsOfUseText" />

<bean id="shibboleth.SingleTermsOfUseText"
class="com.google.common.base.Functions" factory-method="constant">
<constructor-arg value="my-terms-of-use" />
</bean>}}

and we originally included in messages.properties:

{{my-terms-of-use = my-tou
my-tou.title = Example Terms of Use
my-tou.text = <p>Example organization Terms of Use (ToU)</p> \ <p>Lorem ipsum dolor sit amet, \ consectetur adipiscing elit. \ </p>
}}

The key is the .text property. As soon as we add the my-tou.text property in additional languages, the key for each language is different!
Provided a user switches between browsers with different language settings, this user will have to accept the ToU over and over again, simply because the hash is not the same for all languages.

Our workaround for this was to introduce an additional property my-tou.text.html, see below.

So we now included in messages.properties:

{{my-terms-of-use = my-tou
my-tou.title = Example Terms of Use
my-tou.text = ToU version 1.0 - 20170405
my-tou.html = <p>Example organization Terms of Use (ToU)</p> \ <p>Lorem ipsum dolor sit amet, \ consectetur adipiscing elit. \ </p>
}}

and we needed to replace in /opt/shibboleth-idp/views/intercept/terms-of-use.vm:

this line

#springMessageText("${termsOfUseId}.text", "Terms of Use Text...")

with this line

#springMessageText("${termsOfUseId}.html", "Terms of Use Text...")

For the translations we only add the properties my-tou.title and my-tou.html into the language dependent .properties file. That way, we have a single my-tou.text property as key for the hash!

That way you can even correct a typo or a minor change that does not require a new approval in any of the languages. From now on, you only change the version information in the my-tou.text property when the legal counsel asks you to replace the current ToU version with a new one that requires approval. That has to happen in sync for all the languages.

Environment

None

Attachments

1

Activity

Show:

Tom Zeller September 26, 2018 at 11:06 PM

be8b735

Needs documentation.

Tom Zeller February 28, 2018 at 9:49 PM

My plan is to introduce a new property with suffix .displayText}} which is displayed preferentially over the {{.text property.

I am leaning towards {{.displayText}} instead of .html because the use of {{display}}  as a prefix seems to be consistent with other parts of the IdP.

Still working on the details of how {{terms-of-use.vm}} will prefer the new property if it exists.

I'm open to naming suggestions.

I think the only change will be to {{terms-of-use.vm}} as well as documentation.

Scott Cantor April 7, 2017 at 5:31 PM

Interestingly, I think the real "bug" here is the point about being able to correct a typo without invalidating, so having the indirection is obviously a good idea.

I think you can make a strong case that different languages necessarily may mean the same thing but not in a way that would pass legal muster. It may well be appropriate to re-prompt for different languages just as a conservative approach. But I certainly get that it shouldn't be required, and having a separate property means you could choose which translations get assigned the same key.

Daniel Lutz April 7, 2017 at 1:41 PM

I've just done some testing on a test deployment of IdP 3.3.0. It worked as expected.

I tested as follows:

  • Enable 'terms-of-use' flow for SSO

  • Test login: Consent is required, terms-of-use is shown. Confirm ToU.

  • Apply patch.

  • Test login: Consent is not required. OK.

  • In conf/idp.properties, set "idp.consent.terms-of-use.consentValueMessageCodeSuffix = .version" in conf/idp.properties.
    In messages/messages.properties, set "example-tou-1.version" to the same value as "example-tou-1.text".

  • Test login: Consent is not required. OK.

  • In messages/messages.properties, set "example-tou-1.version = 2017040701".

  • Test login: Consent is required, terms-of-use is shown. Confirm ToU.

  • In messages/messages.properties, set "example-tou-1.version = 2017040702" and change "example-tou-1.text".

  • Test login: Consent is required, terms-of-use is shown with the new text. Confirm ToU.

Daniel Lutz April 7, 2017 at 12:45 PM

I've created a patch against the latest HEAD of java-identity-provider.
The change introduces the new property idp.consent.terms-of-use.consentValueMessageCodeSuffix and adapts system/flows/intercept/terms-of-use-beans.xml accordingly to allow deployers to change the key via the new property. (Please carefully check this patch for correctness as I haven't tested it in a real deployment.)

A deployer now can change the key as follows (example):

  • In conf/idp.properties, set "idp.consent.terms-of-use.consentValueMessageCodeSuffix = .version".

  • In messages/messages.properties, add "example-tou-1.version = 20170407".

Note: Deployers already having used the default ".text" suffix as key in their current setup can't easily change the key, as existing hash values would change and users would need to re-confirm the terms-of-use. An option for such deployers would be to use a new suffix ".version" and take the exact value of the existing ".text" property as initial value. On the next change of their terms-of-use, they can change to a simpler value. The documentation should mention this problem/option accordingly.

Fixed
Pinned fields
Click on the next to a field label to start pinning.

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Created April 5, 2017 at 2:13 PM
Updated October 9, 2018 at 6:05 PM
Resolved October 3, 2018 at 10:29 PM
Configure