With SSO the client sends the client secret to SSO which is stored in the session. Now when the clients session expires all the information including the client secret is lost when the session is purged by the application server.

Here is the sequence

1. login to webadmin
2. Leave the session until session time out on engine and user is redirected to login page (the client id and secret are sent)
3. If user tries to login now everything will be fine but if user leaves and the session expires the session is purged, client secret is lost
4. User enters user name password on the screen after coming back. The login form does not have a session associated with it so the client and secret are not found and SSO needs to report that the session has expired and redirect user to welcome page.

The client id and secret cannot be stored in login page as they are supposed to be kept secret.

To revert to old behavior we need a patch that can saveĀ  client and secret for the session out side the session object in a global data structure
and create a unique token that can be used to associate the login page with the client secret stored in the global data structure.
The token can be included in the login page.

Ravi


On Wed, Jan 4, 2017 at 12:59 PM, Robert Story <rstory@tislabs.com> wrote:
Since I upgrade to 4.0, I get this annoying message when I try to log in
again after I've been away for a while. On 3.6 the ui would go to a login
screen after some period of inactivity, and I could log right back in. With
4.0, logging in after inactivity goes to a page with this message, and I
have to click to get a login page and then log in again. This is very
annoying. Is there a way to revert to the old behavior?


Robert

--
Senior Software Engineer @ Parsons

_______________________________________________
Users mailing list
Users@ovirt.org
http://lists.ovirt.org/mailman/listinfo/users