Changing `timeout` can have temporary unintended consequences for other timeouts, I think
https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng/-/blob/0a17936a397e2ce84d2cf95c29552997798010d9/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/OpenIDConnect.pm#L972 looks like it relies on a cleanup job using the main timeout
to invalidate authorization codes, access tokens, and refresh tokens. That means that if an admin increases the value of timeout
, it would also cause any of those other things that were valid before the increase to stay valid longer than they should, right? For a refresh token, that seems fine, but for an authorization code, that could extend it from 60 seconds to much longer. (After looking at the code, I found #1879 (comment 48192) which mentions how the code appears to work now, but not this issue with accidentally increasing the timeout for things that should have short timeouts. Also, I haven't tested this so I might be wrong, I'm just guessing at the behavior from looking at the code.)