-
Notifications
You must be signed in to change notification settings - Fork 326
Known Limitations
Requests originating from the same user/session reaching different Apache processes simultaneously may lead to execution of several refresh token grants in parallel which could lead to issuance of overlapping/invalidated refresh tokens when used with rolling refresh tokens. Mitigations have been added in 2.4.14.4 to avoid this at least on a single Apache server (using a global system lock) and to push a "best effort" lock to the shared cache (for the duration of OIDCHTTPTimeoutLong).
Preservation of POST data with OIDCPreservePost On over session timeouts and newly initiated sessions is only supported with simple name/value pairs, not arbitrary POST data.
It is not possible to specify OpenID Connect Provider primitives (OIDCProvider*) on a on a per-directory/location basis, those primitives are only supported on the global/vhost level.