From 7d3cbe555f53a1a1378cdd9efdd4b7a6cda06d9f Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <stefan.bodewig@innoq.com>
Date: Tue, 18 Feb 2020 15:50:49 +0100
Subject: [PATCH] talk about locking of session in authenticate, see #285

---
 README.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/README.md b/README.md
index d47d44f..b09417d 100644
--- a/README.md
+++ b/README.md
@@ -293,6 +293,19 @@ local res, err = require("resty.openidc").authenticate(opts, nil, "pass")
 local res, err = require("resty.openidc").authenticate(opts, nil, "deny")
 ```
 
+## Sessions and Locking
+
+The `authenicate` function returns the current session object as its
+forth return argument. If you have configured lua-resty-session to use
+a server side storade backend that uses locking, the session may still
+be locked when it is returned. In this case you may want to close it
+explicitly
+
+```lua
+local res, err, target, session = require("resty.openidc").authenticate(opts)
+session:close()
+```
+
 ## Sample Configuration for OAuth 2.0 JWT Token Validation
 
 Sample `nginx.conf` configuration for verifying Bearer JWT Access Tokens against a pre-configured secret/key.