IdProviders return wrong error when there is a replay attack or state timeout

Description

The 'state' object holds a timestamp. This is verified when a code is delivered after third party authentication.
When this fails an INVALID_REQUEST_URI error is returned:
(e.g. OpenIdConnectProvider line 123)

However, expected behaviour is probably triggering reauthentication to self-heal this. Yet the authenticationresource does not see this as so, it only does so with interacton_required and login_required...

It would be best if this were to trigger a reauthenticate, since that self-fixes things (ideally)

Assignee

Unassigned

Reporter

Koos Gadellaa

Labels

None

Priority

Major
Configure