-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC okta testing #386
OIDC okta testing #386
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR is quite clear to me. I've only 2 points, regarding MapStore behavior and doc:
- I missed the logic behind
UserRedirectRequiredException
.
I'm trying to guess: If the session token is still valid, but refresh is not allowed anymore because of this exception), the session token will expire soon. This depends on the server policy but it can be the case when, for instance, max refresh extent is finished or it passed too much time or something. isn't it?
If so, MapStore can ignore this message until the logout kicks out the user... that is not so kind in any case. So maybe it is the case to show a warning saying that the token is near to expire. In this case, knowing when the token is going to expire could be useful. What do you thing @afabiani ? - I see there are new configurable new params like
maxRetry
initialBackoffDelay
amdbackoffMultiplier
. We need to remember to document these params too.
@offtherailz MapStore can ignore the message or show a warning to the user if needed, it's up to you. This depends mainly on the provider configuration. It is a common use case when using Keycloak, as an instance. |
In this updated version of the
SessionDelegate
upon aRefresh
request the backend also checks:refresh-token
request is returning a valid codeaccessToken
is still valid in the case the previous one fails for some reasonOther than that, the
SessionToken
bean has been updated in order to return back also aWarning
orError
message with the explanation of the failuers.As an instance, in the case the remote
refresh-token
request throws aUserRedirectException
because it need manual validation but the currentAccessToken
is still valid (not expired), theSessionToken
will be still valid, by using the currentAccessToken
but it will provide aWarning
message like the one belowIn case of
Errors
, the returnedAccessToken
andRefreshToken
will beEMPTY
with anErrorMessage
explaining the cause.More Unit Tests have been added and the old ones updated accordingly to the new behavior.
Fix https://github.com/geosolutions-it/webmapper-halliburton/issues/3595