Impossible to login after session timeout about spring-authorization-server HOT 2 CLOSED

@rickhoutman Spring Security uses a RequestCache to save requests before commencing the authentication process. After a successful authentication, it will use the SavedRequest from the RequestCache to re-trigger the request. In this scenario, the OpenID Connect authentication request is re-triggered to proceed with the OIDC flow. However, since the default RequestCache is HttpSessionRequestCache, the SavedRequest is removed from the session on a session timeout and the OIDC flow cannot continue.

If you would like to configure the default HttpSessionRequestCache, you can customize it via HttpSecurity.requestCache().

Having said that, I don't think this is a valid use case:

I expect to be able to login after staying idle for a while on the login page.

Depending what you mean by a while... if it's staying idle for 30 mins, then I believe this is an edge case as most users will not sit at the login page for 30 mins and then attempt to login after that.

I'm going to close this but if you need to fulfll this requirement then you can provide your own HttpSecurity.requestCache() that will not expire the SavedRequest after a session timeout.

from spring-authorization-server.

@jgrandja Thank you for your comment and pointing me in the right direction. I agree it is a little bit of an edge case, but I still decided to solve this problem by using the CookieRequestCache in combination with the CookieCsrfTokenRepository.

In the default security filter chain added:
http.csrf(csrf -> csrf.csrfTokenRepository(new CookieCsrfTokenRepository()))

And added bean:
@Bean public RequestCache requestCache() { return new CookieRequestCache(); }

from spring-authorization-server.