lorenzulrich
commented
1 year ago @daniellienert Did you find a solution for this in the meantime?
Open daniellienert opened 4 years ago
lorenzulrich
commented
1 year ago @daniellienert Did you find a solution for this in the meantime?
In https://github.com/flownative/flow-openidconnect-client/blob/master/Classes/Authentication/OpenIdConnectProvider.php#L101 exp of the identity token is validated and when not valid the status is set to
TokenInterface::AUTHENTICATION_NEEDED. With this, the client is redirected to the IDP.When editing in the backend, this happens also in the guest frame where the CORS settings deny the redirect.
After reading through the basics (https://openid.net/specs/openid-connect-core-1_0.html#IDToken) and https://stackoverflow.com/questions/25686484/what-is-intent-of-id-token-expiry-time-in-openid-connect it seems to me, that coupling the users session experation time in Neos to the identity token experation might not be correct.
In our case, the identity tokens exp is just 1 minute by default which makes editing impossible.