Step up authentication: timeout

[bruattack]

Hi guys

I need to be able to step-up a users authentication for certain actions/areas of a page. I have configured my apache according to https://github.com/OpenIDC/mod_auth_openidc/wiki/Step-up-Authentication (Thanks Hans!) and it generally works. I have one endpoint that just requires the existence of an account and one that requires certain extra attributes.

However, when I access the "higher" zone with a lower level account and get redirected to the IDP's "escalation" page, it takes a while to finish onboarding there. When that is done and I get returned back to my page, I get a timeout (see below).

I increased OIDCSessionInactivityTimeout to 4h (way longer than it takes for the onboarding) and restarted the server, same behaviour. Which timeout can I tweak here to make a fluid return to the initial page possible? What will I break by doing so?

Thanks is advance for your help!

Error:

Invalid Authentication Response
Description:

This is due to a timeout; please restart your authentication session by re-entering the URL/bookmark you originally wanted to access:

[zandbelt]

OIDCStateTimeout see: https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.16.7/auth_openidc.conf#L944-L946 and also https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts#1-state-cookie-timeout