Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a new implementation for OIDC Manager with different storage mechanism instead of HTTP session #31

Open
AnuradhaSK opened this issue May 19, 2021 · 0 comments
Open

Add a new implementation for OIDC Manager with different storage mechanism instead of HTTP session #31

AnuradhaSK opened this issue May 19, 2021 · 0 comments
Labels
Type/Improvement

Comments

@AnuradhaSK
Copy link
Contributor

AnuradhaSK commented May 19, 2021
edited
Loading

Describe the issue:
HTTP session-based OIDC processor has a limitation when the web app is deployed in more than one container.
Params such as nonce, state, and additional query params store in the session

  1. asgardeo-java-oidc-sdk/io.asgardeo.java.oidc.sdk/src/main/java/io/asgardeo/java/oidc/sdk/HTTPSessionBasedOIDCProcessor.java

    Line 66 in ac88bea

    session.setAttribute(SSOAgentConstants.REQUEST_CONTEXT, requestContext);

and try to use them validate in the callback based on the session detail will be cause for issues if the callback doesn't come to the same container.

asgardeo-java-oidc-sdk/io.asgardeo.java.oidc.sdk/src/main/java/io/asgardeo/java/oidc/sdk/HTTPSessionBasedOIDCProcessor.java

Line 82 in ac88bea

RequestContext requestContext = getRequestContext(request);

Enabling session affinity would be one solution, but not reliable because there could be container downtime.
Session replication is another option but the deployment will be complicated.
@AnuradhaSK AnuradhaSK added the bug Something isn't working label May 19, 2021
@chamathns chamathns added Type/Improvement and removed bug Something isn't working labels May 19, 2021
@AnuradhaSK AnuradhaSK changed the title Improve OIDC Manager with different storage mechanism instead of HTTP session Add a new implementation for OIDC Manager with different storage mechanism instead of HTTP session May 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type/Improvement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chamathns @AnuradhaSK