README: note about OpenID Connect cookie-refresh limitation

should be equal to OIDC token lifetime general fix requires huge multi-KB tokens in session cookie, not a good idea
ploxiln · Nov 26, 2018 · f4b2367 · f4b2367
1 parent f0caef3
commit f4b2367
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -187,6 +187,10 @@ OpenID Connect is a spec for OAUTH 2.0 + identity that is implemented by many ma
     -cookie-secure=false
     -email-domain example.com
 
+If you enable cookie-refresh, it should be set to the same duration as token lifetime
+(due to a limitation in `oauth2_proxy` - see https://github.com/bitly/oauth2_proxy/pull/620).
+
+
 ## Email Authentication
 
 To authorize by email domain use `--email-domain=yourcompany.com`. To authorize individual email addresses use `--authenticated-emails-file=/path/to/file` with one email per line. To authorize all email addresses use `--email-domain=*`.