New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation of the expiration of the identity token breaks Neos Backend Editing #15

Open

daniellienert opened this issue Sep 30, 2020 · 1 comment

Contributor

daniellienert commented Sep 30, 2020

In https://github.com/flownative/flow-openidconnect-client/blob/master/Classes/Authentication/OpenIdConnectProvider.php#L101 exp of the identity token is validated and when not valid the status is set to TokenInterface::AUTHENTICATION_NEEDED. With this, the client is redirected to the IDP.

When editing in the backend, this happens also in the guest frame where the CORS settings deny the redirect.

After reading through the basics (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) and https://stackoverflow.com/questions/25686484/what-is-intent-of-id-token-expiry-time-in-openid-connect it seems to me, that coupling the users session experation time in Neos to the identity token experation might not be correct.

In our case, the identity tokens exp is just 1 minute by default which makes editing impossible.

The text was updated successfully, but these errors were encountered:

lorenzulrich commented Dec 22, 2022

@daniellienert Did you find a solution for this in the meantime?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment