Comments (2)
@rickhoutman Spring Security uses a RequestCache
to save requests before commencing the authentication process. After a successful authentication, it will use the SavedRequest
from the RequestCache
to re-trigger the request. In this scenario, the OpenID Connect authentication request is re-triggered to proceed with the OIDC flow. However, since the default RequestCache
is HttpSessionRequestCache
, the SavedRequest
is removed from the session on a session timeout and the OIDC flow cannot continue.
If you would like to configure the default HttpSessionRequestCache
, you can customize it via HttpSecurity.requestCache()
.
Having said that, I don't think this is a valid use case:
I expect to be able to login after staying idle for a while on the login page.
Depending what you mean by a while... if it's staying idle for 30 mins, then I believe this is an edge case as most users will not sit at the login page for 30 mins and then attempt to login after that.
I'm going to close this but if you need to fulfll this requirement then you can provide your own HttpSecurity.requestCache()
that will not expire the SavedRequest
after a session timeout.
from spring-authorization-server.
@jgrandja Thank you for your comment and pointing me in the right direction. I agree it is a little bit of an edge case, but I still decided to solve this problem by using the CookieRequestCache
in combination with the CookieCsrfTokenRepository
.
In the default security filter chain added:
http.csrf(csrf -> csrf.csrfTokenRepository(new CookieCsrfTokenRepository()))
And added bean:
@Bean public RequestCache requestCache() { return new CookieRequestCache(); }
from spring-authorization-server.
Related Issues (20)
- Update to spring-security-release-plugin 1.0.3
- Multiple secrets per registered client HOT 6
- One-way storage of refresh tokens is better supported if the refresh token is reused HOT 5
- Enable refresh of JwkSet in X509SelfSignedCertificateVerifier
- docs: example of testing pkce against split resource server HOT 5
- Customize the sendAuthorizationConsent in OAuth2DeviceVerificationEndpointFilter . HOT 1
- Allow logout request to be sent without an id_token_hint HOT 1
- Add impersonation sample for token exchange
- Update to actions/checkout@v4
- Introspection can't work HOT 1
- Login screen is displayed after upgrade spring authorization server to latest
- Consider to support Federated Credential Management in the future HOT 1
- Spring Authorization Server fails to start with multiple PasswordEncoder beans HOT 2
- Path component for issuer identifier should be disabled by default
- allow /authorize without being authenticated first HOT 1
- document default paths HOT 1
- Build failed for samples HOT 1
- Fix package tangle
- Format source code with spring-javaformat
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from spring-authorization-server.