🐛 [#4528] Disable OIDC SessionRefresh middleware

previously, if the session in the OIDC provider expired and the sessionrefresh middleware is triggered, the user can not automatically re-authenticate, causing to 403s (and losing changes made in the form designer). In order to avoid session synchronization issues, we remove the SessionRefresh completely, meaning that OIDC is used for logging in, but Open Forms itself is then in charge of managing the session. Backport-Of: #4528
open-formulieren · Oct 15, 2024 · 0bb3d84 · 0bb3d84
1 parent 99ccd27
commit 0bb3d84
Showing 1 changed file with 0 additions and 10 deletions.
diff --git a/src/openforms/conf/base.py b/src/openforms/conf/base.py
@@ -265,7 +265,6 @@
     "openforms.translations.middleware.AdminLocaleMiddleware",
     "hijack.middleware.HijackUserMiddleware",
     "openforms.middleware.SessionTimeoutMiddleware",
-    "mozilla_django_oidc_db.middleware.SessionRefresh",
     "maykin_2fa.middleware.OTPMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.clickjacking.XFrameOptionsMiddleware",
@@ -1030,15 +1029,6 @@
 # Access token required for performing the Token exchange
 OIDC_STORE_ACCESS_TOKEN = True
 
-# Paths that are exempt from the SessionRefresh middleware
-# these must be explicitly added to avoid infinite redirects from happening (#4435)
-if _USE_LEGACY_OIDC_ENDPOINTS:
-    OIDC_EXEMPT_URLS = [
-        "legacy_oidc:oidc_authentication_init",
-        "legacy_oidc:oidc_authentication_callback",
-        "legacy_oidc:oidc_logout",
-    ]
-
 # TODO: remove once 2.7 is released, this is required for data migration(s)
 MOZILLA_DJANGO_OIDC_DB_CACHE = "solo"