High latency login problems · JanssenProject/jans · Discussion #12801 (original) (raw)
Hi Janssen team,
Over the last couple of days I’ve been investigating an issue affecting users with high response times (e.g. users abroad or on poor connections) during login.
I’ve traced the behavior to this block in AuthorizeRestWebServiceImpl.java where prompt=login is added if the request has taken more than 500 ms:
| private void addPromptLoginIfNeeded(AuthzRequest authzRequest, Client client) { |
|---|
| if (identity != null && identity.getSessionId() != null && identity.getSessionId().getState() == SessionIdState.AUTHENTICATED |
| && Boolean.TRUE.equals(client.getAttributes().getDefaultPromptLogin()) |
| && identity.getSessionId().getAuthenticationTime() != null |
| && new Date().getTime() - identity.getSessionId().getAuthenticationTime().getTime() > 500) { |
| authzRequest.addPrompt(Prompt.LOGIN); |
| } |
| } |
What we’re seeing is:
- The user is authenticated earlier in the flow with
prompt=login. - Due to high latency, the 500 ms threshold is exceeded.
- prompt=login is then added and the user is redirected to the authorize URL again.
- This effectively forces an unnecessary re-login, causing a bad UX for our high-latency users and eternal login loops.
| log.debug("prompt=login, redirect to authorization page, request {}", authzRequest); |
|---|
| throw new NoLogWebApplicationException(redirectToAuthorizationPage(authzRequest)); |
My questions are:
- What is the rationale for this 500 ms check and the automatic addition of prompt=login above that threshold?
- Would you consider making this behavior configurable or providing an alternative approach for environments with higher latency?
This behavior is currently causing significant issues for us in production, so any guidance or recommended workaround would be greatly appreciated.
Thanks in advance!