The OAuth timeout problem, the SAML assertion timeout problem, and the CAS service ticket problem, would all be solved by CAS issuing the [OAuth token / SAML assertion / service ticket] after the user clears the warning / authorization screen hurdle. The login flow can have as much user experience interaction as it needs to have, several attribute release / informed consent screens, whatever, so long as the CAS server issues the token only when it is entirely ready to send the token along to the relying party.
That should make 5s ST timeouts just fine. On Thu, Feb 7, 2013 at 5:10 AM, jleleu <[email protected]> wrote: > Hi, > > I'm not sure that the solution is to increase the timeout up to 30s (which > I estimate too much for security and not enough for user interaction). > > I was considering that interrupt screens should rely on the web session > lifetime (like the login page). > > Best regards, > Jérôme > > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
