With SSO the client sends the client secret to SSO which is stored in the
session. Now when the clients session expires all the information including
the client secret is lost when the session is purged by the application
server.
Here is the sequence
1. login to webadmin
2. Leave the session until session time out on engine and user is
redirected to login page (the client id and secret are sent)
3. If user tries to login now everything will be fine but if user leaves
and the session expires the session is purged, client secret is lost
4. User enters user name password on the screen after coming back. The
login form does not have a session associated with it so the client and
secret are not found and SSO needs to report that the session has expired
and redirect user to welcome page.
The client id and secret cannot be stored in login page as they are
supposed to be kept secret.
To revert to old behavior we need a patch that can save client and secret
for the session out side the session object in a global data structure
and create a unique token that can be used to associate the login page with
the client secret stored in the global data structure.
The token can be included in the login page.
Ravi
On Wed, Jan 4, 2017 at 12:59 PM, Robert Story <rstory(a)tislabs.com> wrote:
Since I upgrade to 4.0, I get this annoying message when I try to log
in
again after I've been away for a while. On 3.6 the ui would go to a login
screen after some period of inactivity, and I could log right back in. With
4.0, logging in after inactivity goes to a page with this message, and I
have to click to get a login page and then log in again. This is very
annoying. Is there a way to revert to the old behavior?
Robert
--
Senior Software Engineer @ Parsons
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users