Since some time I do have massive warnings from oidc I think in the logfile:
2026-03-11 14:54:22,476 [https-jsse-nio-8443-exec-12 - https://example.org/oidc/authenticator/callback?code=SNIP&session_state=SNIP] WARN c.x.x.d.XWikiDocument - Abusive modification of the cached document [xwiki:XWiki.UserName()]
at java.base/java.lang.Thread.run(Thread.java:840)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:63)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:493)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:975)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1776)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:903)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:398)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:666)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:733)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:93)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:116)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:483)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:90)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:167)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.xwiki.container.servlet.filters.internal.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:120)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.xwiki.container.servlet.filters.internal.ResolveRelativeRedirectFilter.doFilter(ResolveRelativeRedirectFilter.java:129)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.xwiki.container.servlet.filters.internal.SafeRedirectFilter.doFilter(SafeRedirectFilter.java:106)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.xwiki.container.servlet.filters.internal.SavedRequestRestorerFilter.doFilter(SavedRequestRestorerFilter.java:212)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.xwiki.resource.servlet.RoutingFilter.doFilter(RoutingFilter.java:148)
at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:268)
at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:323)
at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:394)
at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:612)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:164)
at org.xwiki.container.servlet.filters.internal.SetHTTPHeaderFilter.doFilter(SetHTTPHeaderFilter.java:66)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:140)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:195)
at jakarta.servlet.http.HttpServlet.service(HttpServlet.java:658)
at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.service(ResourceReferenceHandlerServlet.java:90)
at org.xwiki.resource.servlet.ResourceReferenceHandlerServlet.handleResourceReference(ResourceReferenceHandlerServlet.java:160)
at org.xwiki.resource.internal.AbstractResourceReferenceHandlerManager.handle(AbstractResourceReferenceHandlerManager.java:82)
at org.xwiki.resource.internal.DefaultResourceReferenceHandlerChain.handleNext(DefaultResourceReferenceHandlerChain.java:79)
at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:110)
at org.xwiki.contrib.oidc.provider.internal.OIDCResourceReferenceHandler.handle(OIDCResourceReferenceHandler.java:138)
at org.xwiki.contrib.oidc.auth.internal.endpoint.CallbackOIDCEndpoint.handle(CallbackOIDCEndpoint.java:249)
at org.xwiki.contrib.oidc.auth.internal.OIDCUserManager.updateUser(OIDCUserManager.java:461)
at com.xpn.xwiki.doc.XWikiDocument.apply(XWikiDocument.java:9521)
at com.xpn.xwiki.doc.XWikiDocument.apply(XWikiDocument.java:9653)
at com.xpn.xwiki.doc.XWikiAttachment.apply(XWikiAttachment.java:1336)
at com.xpn.xwiki.doc.XWikiAttachment.setContent(XWikiAttachment.java:1107)
at com.xpn.xwiki.doc.XWikiAttachmentContent.setContent(XWikiAttachmentContent.java:326)
at com.xpn.xwiki.doc.XWikiAttachmentContent$1.close(XWikiAttachmentContent.java:292)
at com.xpn.xwiki.doc.XWikiAttachmentContent.setContentDirty(XWikiAttachmentContent.java:233)
at com.xpn.xwiki.doc.XWikiDocument.setMetaDataDirty(XWikiDocument.java:2460)
java.lang.IllegalStateException: Abusive modification of the cached document
Our config looks like this:
oidc.endpoint.authorization=https://login.microsoftonline.com/SNIP/oauth2/v2.0/authorize
oidc.endpoint.logout=https://login.microsoftonline.com/SNIP/oauth2/v2.0/logout
oidc.endpoint.token=https://login.microsoftonline.com/SNIP/oauth2/v2.0/token
oidc.endpoint.token.auth_method=client_secret_post
oidc.endpoint.userinfo=https://graph.microsoft.com/oidc/userinfo
oidc.endpoint.userinfo.method=POST
oidc.logoutMechanism=rpInitiated
oidc.scope=openid
oidc.clientid=SNIP
oidc.secret=SNIP
oidc.user.nameFormater=${oidc.user.givenName._clean}${oidc.user.familyName._clean}
oidc.groups.claim=groups
oidc.userinfoclaims=groups
How to avoid this?
Regards, Simpel