> it makes me think that I face the same "problem" on the confirmation page > when using the OAuth server wrapper for CAS. The user has to grant access to > his profile before the service ticket expires.
That's actually an interesting use case. I don't think we have considered protocol interactions in ticket expiration times. The warn page interrupts the protocol flow, but is not strictly part of it, so the OAuth case seems novel. At the least we should document ticket expiration considerations when enabling modules like OAuth. > I don't like to increase the ticket timeout for security reasons but at the > same time, 5s seems to be somehow inacceptable for the end-user experience... It's certainly too low when user interaction is a fundamental part of the protocol flow. I'm open to consider increasing across the board. Just for context, it was at some point in the not-too-distant past 30s, which seemed too liberal. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
