With SSO the client sends the client
secret to SSO which is stored in the session. Now when the clients
session expires all the information including the client secret is lost
when the session is purged by the application server.
Here is the sequence
1. login to webadmin
2. Leave the session until session time out on engine and user is redirected to login page (the client id and secret are sent)
3.
If user tries to login now everything will be fine but if user leaves
and the session expires the session is purged, client secret is lost
4.
User enters user name password on the screen after coming back. The
login form does not have a session associated with it so the client and
secret are not found and SSO needs to report that the session has
expired and redirect user to welcome page.
The client id and secret cannot be stored in login page as they are supposed to be kept secret.
To revert to old behavior we need a patch that can saveĀ client and secret for the session out side the session object in a global data structure
and create a unique token that can be used to associate the login page with the client secret stored in the global data structure.
The token can be included in the login page.