-
-
Notifications
You must be signed in to change notification settings - Fork 331
Known Limitations
When using OIDCRefreshAccessTokenBeforeExpiry and/or OIDCUserInfoRefreshInterval requests originating from the same user/session reaching different Apache processes simultaneously may lead to execution of several refresh token grants in parallel which could lead to issuance of overlapping/invalidated refresh tokens when used with rolling refresh tokens. The last issued refresh token may be overwritten in the session with an earlier one and as such may lead to an unrecoverable situation. A mitigation has been added since 2.4.15.3 to avoid this by caching and re-using the result of the first token refresh grant request. This also avoids the situation with persistent refresh tokens as previously these requests would lead to multiple access tokens and ID tokens being issued for the same session (with the last one winning).
A "best effort distributed parallel refresh prevention" is applied that is especially important when rolling refresh tokens are used across different Apache processes. Note that this is not 100% failsafe, so the advice is still to not use rolling refresh tokens with multiple Apache instances.
Rolling refresh tokens must not be used together with OIDCSessionType client-cookie when there is no shared caching mechanism in use between the Apache instances.
Preservation of POST data with OIDCPreservePost On over session timeouts and newly initiated sessions is only supported with simple name/value pairs i.e. using Content-Type: application/x-www-form-urlencoded, not arbitrary (streamed) POST data.
Preservation of POST date combined with OIDCPreservePost On and Authorization using Require claim directives or Step-Up Authentication don't work together over plain HTTP, running over HTTPs does seem to avoid this limitation. See also other limitations associated with Step-Up Authentication here: https://github.com/OpenIDC/mod_auth_openidc/wiki/Step-up-Authentication#limitations
It is not possible to specify OpenID Connect Provider primitives (OIDCProvider*) on a on a per-directory/location basis, those primitives are only supported on the global/vhost level.