-
-
Notifications
You must be signed in to change notification settings - Fork 327
Known Limitations
Hans Zandbelt edited this page Oct 12, 2023
·
10 revisions
Requests originated from the same user/session reaching different Apache servers simultaneously may lead to execution of several refresh token grants in parallel which could lead to issuance of overlapping/invalidated refresh tokens when used with rolling refresh tokens. Mitigations have been added in 2.4.14.4 to avoid this at least on a single Apache server (using a global system lock) and to push a "best effort" lock to the shared cache (for the duration of OIDCHTTPTimeoutLong).
Preservation of POST data with OIDCPreservePost On over session timeouts and newly initiated sessions is only supported with simple name/value pairs, not arbitrary POST data.