You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I'm trying to protect a web application (an SPA which has its own login) with mod_auth_openidc. So this leads to the more complicated situation where 3 independent sessions are involved (mod_auth_openidc session, OIDC provider session and application session).
Basically the authentication seems to work fine, but I've been observing a weird behaviour on session expiry:
When the session expires I get redirected to the login page of the web application (NOT the OIDC login page).
However, submitting username and password through the application's login form leads to an error (apparently because it's not the application session that has expired).
When I reload the page showing the application login, I get redirected to the OIDC login page and can finally login again.
But in this case I would have expected to be redirected to the OIDC login in the first place and not to the application login.
So my question is, if there might be a common pitfall that I've run into here?
Also I tried to align the session inactivity timeouts of the different sessions by setting "OIDCSessionInactivityTimeout 3600" (which should roughly match the timeout set for the web application itself). I suppose that if the web application does not use OIDC authentication directly there is no option to tie the timeout of the mod_auth_openidc session somehow to the one of the web application?
Please let me know, if more information should be required to understand this issue.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
I'm trying to protect a web application (an SPA which has its own login) with mod_auth_openidc. So this leads to the more complicated situation where 3 independent sessions are involved (mod_auth_openidc session, OIDC provider session and application session).
Basically the authentication seems to work fine, but I've been observing a weird behaviour on session expiry:
When the session expires I get redirected to the login page of the web application (NOT the OIDC login page).
However, submitting username and password through the application's login form leads to an error (apparently because it's not the application session that has expired).
When I reload the page showing the application login, I get redirected to the OIDC login page and can finally login again.
But in this case I would have expected to be redirected to the OIDC login in the first place and not to the application login.
So my question is, if there might be a common pitfall that I've run into here?
Also I tried to align the session inactivity timeouts of the different sessions by setting "OIDCSessionInactivityTimeout 3600" (which should roughly match the timeout set for the web application itself). I suppose that if the web application does not use OIDC authentication directly there is no option to tie the timeout of the mod_auth_openidc session somehow to the one of the web application?
Please let me know, if more information should be required to understand this issue.
Beta Was this translation helpful? Give feedback.
All reactions