I‘m struggling setting up a secured application with an OpenID provider.
What I have done:
What am I doing:
What the problem is:
The redirect url to my application contains some get parameters as code and so on. The problem is, when I refresh the page, I get an error message: the code can only be used once.
My question is, how can I provide a proper url, which the user can refresh?
I did some research and discovered that I didn't really understand the flow of authentication.
So after the user is redirected to my application, I had to store the Refresh Token in a Session Variable. Afterwards, I was able to redirect the user to the new page.
On the new page I had to check, if a Refresh Token has been stored and if it was valid. If so, I can show the user the content, otherwise, I have to redirect the user to the login page.