-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for OIDC session expired page #40539
Conversation
This comment has been minimized.
This comment has been minimized.
🙈 The PR is closed and the preview is expired. |
This comment has been minimized.
This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, looks like a nice UX improvement.
docs/src/main/asciidoc/security-oidc-code-flow-authentication.adoc
Outdated
Show resolved
Hide resolved
a8b7475
to
b250483
Compare
Hi @pedroigor, @gastaldi, thanks, yes, hope it will give users an easy option to control the UX better once the user session has expired. |
Status for workflow
|
Status for workflow
|
LGTM, but I wonder if these pages shouldn't be under a specific config. Eg. |
Hi @gastaldi, thanks,
Sure, it could've been done, I could've introduced an explicit group for it. But we already have an Also, now that you have mentioned this idea, we also have a Not an ideal situation, but hope we can compensate for that with JavaDocs and docs :-) |
Hey @gastaldi @pedroigor Thanks, I already have an exciting follow-up enhancement request in mind :-) |
Currently, a user whose session has expired or no longer can be refreshed (for example, RT itself is no longer valid) is redirected to the OIDC provider to re-authenticate which can offer a poor UX. For example, imagine a user who has authenticated is accessing an application page after some idle time and is seeing an authentication challenge screen, instead of a friendly page which informs the user, your session has expired, follow this link to re-authenticate.
This is exactly what this PR does, lets users configure a session expired page where a user whose session has expired or no longer can be refreshed is redirected to this page from where the user can again re-login, but in a normal interactive way.
One of the tests has been updated to confirm a redirect to such a page is initiated. Docs have been updated.
CC @calvernaz