How to redirect okta login after session expired in spring oauth2
Related
is there any way to restrict the token if user logout.
I did followed this solution for Spring boot 3 with keycloak Use Keycloak Spring Adapter with Spring Boot 3
After user logout from keycloak the token should become invalid automatically.
What are you using on the client side and how you are performing logout?
I have developed a Spring security SAML based SSO application.I wanted to redirect the user to the page he is using before the saml token expires.After refreshing the page it is redirecting to home page.i have used HttpSessionRequestCache, but it does not have any value after it reaches the LoginSuccessHandler.
I have followed below URL to configure SAML SSO to the existing spring boot application, which already have User name - password authentication and JWT authorization for APIs.
https://github.com/pateluday07/saml-sso-and-slo-demo-idp-azure-sp-springboot
Also in onSSOSuccessHandler() I have generated custom JWT token and returned to the Angular front end as cookie. The JWT token expiry set for 1 Hour. The spring boot application is configured with stateless session policy.
On JWT token expiry how we can refresh the token by validating the SSO session? Do we have to call /saml/login endpoint on token expiry?
I'm writing a web application with Spring boot, Spring web flow and thymeleaf. When the user session expires the csrf token in the registration form expires.
How can I handle the session expiration showing a template file in Spring web flow?
Session should be handled by Spring Security. You can redirect the current user to another page by adding configuration like this:
http.sessionManagement()
.expiredUrl("/sessionExpired.html")
.invalidSessionUrl("/invalidSession.html");
In Thymeleaf, you can use session variable and add th:if attribute to check if session exist or something similar:
${session.isEmpty()}
Check this answer https://stackoverflow.com/a/22120387/2230060
I understand the initial basic authentication used by Spring security but how does spring security
handle subsequent request to server after user has been authenticated? I mean where does spring looks up to check user credentials and not to ask the user to enter its password after each request to secure resource on server?
As for the classic session id authentication after the server sent session id to browser how spring security interacts with it and not asking for password for each request?