Provide possibility to define minimumCookieValidity

[de-jcup]

Situation

We provide SecHub WebUI login with OAuth2.

Let's assume that the used IDP provider does have quotas but still short expiration times, or there are configuration problems /changes etc.

This could lead to a bad user experience when always being redirected to login mask after a short time.

Wanted

It shall be possible to provide an optional minimumCookieValidity to handle this.
If the value is not set/equals 0, nothing special shall happen, but if set, after a successful login the oauth2 expiration time shall be never smaller than the minimumCookieValidity.

Solution

We have already a sechub.security.server.oauth2.opaque-token.default-token-expires-in for missing expiresAt on oauth2 opaque token handling, but this value is only used for opaque token handling .

The minimumCookieValidity shall be used for any type of login were a cookie is used: Means if we implement a expiration time for the classic mode (+cookie) this could be used as well.

At this issue

• every setting of the OAUTH2 cookie shall set a value which leads to a cookie which is at least valid until minimumCookieValidity
• this includes the browser cookie setting but also the content of the encrypted OAuth2 token data
• a change of the IDP vaue to minimum settings shall be logged at debug level