Blocked by CORS on Google when doing post after default timeout

[tkd4444]

Dear community,

I have a location protected /wp-admin using HTTPD. Whenever I call the protected url everything works fine. I get authenticated and I can access the subfiles and subdirectories of the protected location. But the problem is whenever we make a POST from the CMS WYSIWG /wp-admin/post.php after the default 300second timeout from that sub location the google blocks this as a violation of it's CORS policy. I guess because it's not comming from the OIDCRedirectURI and it want to re-autheticate ? Do you have experience with this ? I'm thinking increasing the default 300 second timeout but I don't like this workaround and I was wondering if you have some better solution for this problem on mind. Thanks !

[tkd4444]

So I just realized that I was using a rather old version 1.8.8. Since upgrading to the latest release v2.4.13.2 I'm getting the same behaviour but with a different error:

post.php:1 Uncaught (in promise) 
Response {type: 'basic', url: 'https://domain_name/wp-admin/post.ph…r=1&meta-box-loader-nonce=28f428c5c3&_locale=user', redirected: false, status: 401, ok: false, …}
body
Response

[tkd4444]

I tried to set the following:

 OIDCSessionInactivityTimeout 86400
 OIDCSessionMaxDuration 0

But I noticed whenever I suspend or delete a valid user from Google suite it doesn't invalidate the session and user is still logged in.

[zandbelt]

see https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts#session-timeout-and-forms

[tkd4444]

Thanks @zandbelt ! I incrased the timeout, but I noticed whenever I suspend or delete a valid user from Google suite it doesn't invalidate the session and user is still logged in.

[zandbelt]

that is expected behaviour, see: https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts#sessions