Refreshing tokens on non-GET requests #236
Labels
Comments
|
Yes, certainly a nice-to-have but it comes with its own complexity of where to store the POST data and avoid all types of security (client-side) or DoS (server-side) attacks. |
|
IMHO this information should be somewhere among library limitiations. It's quite common to have web-app in eg. React that upon loading it's js may only (or mostly perform POST request). lua-resty-oidc will not be able to maintain SSO session despite user continous interactions. |
|
fair point indeed |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Environment
Expected behaviour
It could be nice to have possibility continue user request in oryginal form.
Actual behaviour
Token refreshing mechanism works for GET requests only.
eg. POST requests will refresh token but they will be changed to GET request, and message body is lost as we only store "target url" before redirects.
https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L1115
Minimized example
not needed
Configuration and NGINX server log files
not needed
The text was updated successfully, but these errors were encountered: