I have a web application which is acting like an OAuth client, in order to obtain access tokens, from PingFederate(acting as the CAS+IDP here). The web app sessions are managed by JSESSION ID appended in the urls associated with the web app. Post login, we the web app kicks off the auth code grant flow(Spring Security filters) in order to obtain access tokens for the authenticated user. On redirect from PingFederate, there is no JSESSIONID appended to the redirect url(because PingFed doesn't know about JSESSIONIds here). This causes the redirect uri on the web app to kickstart a new session.
I don't want the web app redirect uri to generate a new Tomcat session. Architecturally, there seems to be something smelly here. I want to check what are the possible solutions to avoid generating a new session.
I can share code if required. Please ask.
Thanks!
When your client application sends its OAuth authorization request to PingFederate, you're able to include a redirect_uri query string parameter to tell it how to redirect back to your application. If you are able include the JSESSIONID there in that value, PingFederate will include it in the redirect.
Given the value of the JSESSIONID is dynamic, you will likely need to include a wildcard character (*) in the configured Redirection URIs on your client in PingFederate's administrative console.
For more details, see:
redirect_uri parameter)