You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
When I am on the login page without doing anything for more then 30 minutes (the default session timeout) and then try to login it is impossible to login, because the authorization server doesn't know my client id, redirect uri, etc.anymore, because my session timed out.
To Reproduce
Create a new authorization server project using the getting started guide.
@rickhoutman Spring Security uses a RequestCache to save requests before commencing the authentication process. After a successful authentication, it will use the SavedRequest from the RequestCache to re-trigger the request. In this scenario, the OpenID Connect authentication request is re-triggered to proceed with the OIDC flow. However, since the default RequestCache is HttpSessionRequestCache, the SavedRequest is removed from the session on a session timeout and the OIDC flow cannot continue.
If you would like to configure the default HttpSessionRequestCache, you can customize it via HttpSecurity.requestCache().
Having said that, I don't think this is a valid use case:
I expect to be able to login after staying idle for a while on the login page.
Depending what you mean by a while... if it's staying idle for 30 mins, then I believe this is an edge case as most users will not sit at the login page for 30 mins and then attempt to login after that.
I'm going to close this but if you need to fulfll this requirement then you can provide your own HttpSecurity.requestCache() that will not expire the SavedRequest after a session timeout.
@jgrandja Thank you for your comment and pointing me in the right direction. I agree it is a little bit of an edge case, but I still decided to solve this problem by using the CookieRequestCache in combination with the CookieCsrfTokenRepository.
In the default security filter chain added: http.csrf(csrf -> csrf.csrfTokenRepository(new CookieCsrfTokenRepository()))
And added bean: @Bean public RequestCache requestCache() { return new CookieRequestCache(); }
Describe the bug
When I am on the login page without doing anything for more then 30 minutes (the default session timeout) and then try to login it is impossible to login, because the authorization server doesn't know my client id, redirect uri, etc.anymore, because my session timed out.
To Reproduce
Expected behavior
I expect to be able to login after staying idle for a while on the login page.
The text was updated successfully, but these errors were encountered: