feat: auto-redirect to SSO provider when expired remote session detected (DET-10392)

[corban-beaird]

Ticket

DET-10392

Description

Detect when an SSO user is attempting to leverage an expired session token, and rather than redirect them to the SignIn page, instead directly call the SSO provider & send them back to the requested page.

Docs

• release note
• update master config ref docs
• add a description of handling sesh expiry to "managing remote users" (see docs: Update remote users auto redirect #9623 )

Test Plan

Setup:

• Launch a devcluster that is configured to with at least on SSO provider
  • saml example: .circleci/devcluster/saml.devcluster.yaml
  • Add always_redirect: true in the OIDC/SAML config to test the alwaysRedirect behavior.

SSO User Token Expiration

1. Sign in using SSO
2. Navigate to a page other than the dashboard
3. Set the expiration date of the session token in the DB to a time to now (or before)
   • Example Query: UPDATE user_sessions SET expiry = current_timestamp WHERE user_id = <your user id>;
4. Confirm that:
   • User is kicked from current page for being unauthenticated
   • SignIn page is NOT displayed
   • User is redirected to SSO & then back original page

Non-SSO User Token Expiration

1. Sign in NOT using SSO
2. Navigate to a page other than the dashboard
3. Set the expiration date of the session token in the DB to a time to now (or before)
   • Example Query: UPDATE user_sessions SET expiry = current_timestamp WHERE user_id = <your user id>;
4. Confirm that:
   • User is kicked from current page for being unauthenticated
   • SignIn page is displayed

Always Redirect Enabled

1. Sign into determined as an admin
2. Create a workspace & project
3. Sign out
4. Attempt to access the following pages (signing out between each)
   • /det/tasks
   • /det/workspaces/<workspace_id>/projects
   • /det/projects/<project_id>/experiments
5. Confirm that you are either direct to the SSO provider or to the given page as the SSO user
6. If the user doesn't have access to the page, they should see a 404 error w/a button directing them back to home

Checklist

• Changes have been manually QA'd
• New features have been approved by the corresponding PM
• User-facing API changes have the "User-facing API Change" label
• Release notes have been added as a separate file under docs/release-notes/
  See Release Note for details.
• Licenses have been included for new code which was copied and/or modified from any external code

[codecov]

Codecov Report

Attention: Patch coverage is 33.03571% with 75 lines in your changes missing coverage. Please review.

Project coverage is 53.32%. Comparing base (086de84) to head (85232b9).
Report is 12 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #9613      +/-   ##
==========================================
- Coverage   53.34%   53.32%   -0.03%     
==========================================
  Files        1255     1255              
  Lines      152702   152789      +87     
  Branches     3250     3253       +3     
==========================================
+ Hits        81455    81469      +14     
- Misses      71095    71168      +73     
  Partials      152      152              

Flag	Coverage Δ
backend	44.74% <0.00%> (-0.03%)	⬇️
harness	72.83% <ø> (-0.01%)	⬇️
web	51.56% <37.37%> (-0.02%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
master/internal/config/det_cloud_config.go	50.00% <ø> (ø)
master/internal/config/oidc_config.go	50.00% <ø> (ø)
master/internal/config/saml_config.go	20.00% <ø> (ø)
master/pkg/aproto/master_message.go	0.00% <ø> (ø)
webui/react/src/stores/determinedInfo.tsx	86.17% <100.00%> (+0.14%)	⬆️
webui/react/src/components/NavigationSideBar.tsx	0.00% <0.00%> (ø)
webui/react/src/components/NavigationTabbar.tsx	0.00% <0.00%> (ø)
webui/react/src/utils/service.ts	86.27% <93.75%> (+0.76%)	⬆️
webui/react/src/stores/userSettings.tsx	89.18% <75.00%> (-0.69%)	⬇️
master/internal/plugin/sso/sso.go	34.06% <0.00%> (-1.17%)	⬇️
... and 5 more

... and 6 files with indirect coverage changes

[netlify]

✅ Deploy Preview for determined-ui ready!

Name	Link
🔨 Latest commit	85232b9
🔍 Latest deploy log	https://app.netlify.com/sites/determined-ui/deploys/66a01e2b857479000856a739
😎 Deploy Preview	https://deploy-preview-9613--determined-ui.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[BOsterbuhr]

If the user doesn't have an expired session token will they see the login page still? If so, could a user create a fake session token to ensure they don't see the login page at all?

[corban-beaird]

If the user doesn't have an expired session token will they see the login page still? If so, could a user create a fake session token to ensure they don't see the login page at all?

@BOsterbuhr
If the they don't have an expired token, they'll be sent directly in to the app, since they're already authenticated. Also if a user provides a fake session token that isn't within our system, we won't report it as an expired token & they'll be directed to the login page to authenticate

[BOsterbuhr]

If the user doesn't have an expired session token will they see the login page still? If so, could a user create a fake session token to ensure they don't see the login page at all?

@BOsterbuhr

If the they don't have an expired token, they'll be sent directly in to the app, since they're already authenticated. Also if a user provides a fake session token that isn't within our system, we won't report it as an expired token & they'll be directed to the login page to authenticate

If they don't have a token at all (first time logging in) how can they avoid hitting the login page? We need a way to avoid the login page completely in all instances.

[corban-beaird]

If they don't have a token at all (first time logging in) how can they avoid hitting the login page? We need a way to avoid the login page completely in all instances.

@BOsterbuhr
Currently that's not what's being done in this PR. However, I'm happy to add in a new config to the master to allow for auto-redirect to the SSO provider by default for every user regardless of if they have a token.

[keita-determined]

\o/

[BOsterbuhr]

Currently that's not what's being done in this PR. However, I'm happy to add in a new config to the master to allow for auto-redirect to the SSO provider by default for every user regardless of if they have a token.

@corban-beaird
That would be perfect, thank you 🙏🏼

[maxrussell]

Some nits, but this LGTM.

[dougdet]

@corban-beaird 👋🏻

Currently that's not what's being done in this PR. However, I'm happy to add in a new config to the master to allow for auto-redirect to the SSO provider by default for every user regardless of if they have a token.

Is this being worked into the PR? This is critical. Also, sorry if I missed the explanation: if the user has an Okta token that hasn't yet been "seen" by MLDE, will the user be re-directed to the requested page?

[corban-beaird]

Is this being worked into the PR? This is critical. Also, sorry if I missed the explanation: if the user has an Okta token that hasn't yet been "seen" by MLDE, will the user be re-directed to the requested page?

@dougdet Yep, I pushing up a PR to add in the ability to always redirect to the designated SSO provider; with the exception of cases where users perform a hard logout (i.e. clicking the logout button).

[dougdet]

@dougdet Yep, I pushing up a PR to add in the ability to always redirect to the designated SSO provider; with the exception of cases where users perform a hard logout (i.e. clicking the logout button).

Great!

"i.e. clicking the logout button". Is there no way around this? The user may logout that way and may still be auth'd in Okta (have its token). If no way around, we'll just have to make this very clear to the customer that if a user does this they'll bump into the Login page. I'll bet they'll ask to hide the Logout button if the master.yaml is set to "always redirect".

[corban-beaird]

"i.e. clicking the logout button". Is there no way around this? The user may logout that way and may still be auth'd in Okta (have its token). If no way around, we'll just have to make this very clear to the customer that if a user does this they'll bump into the Login page. I'll bet they'll ask to hide the Logout button if the master.yaml is set to "always redirect".

@dougdet If we aren't sending folks to the the determined login page & they still have an active session with Okta that we don't manage, they'll immediately get logged back into determined after hitting sign out. Is there ever a case where a user would ever want to log in under a different account?

[dougdet]

@dougdet If we aren't sending folks to the the determined login page & they still have an active session with Okta that we don't manage, they'll immediately get logged back into determined after hitting sign out. Is there ever a case where a user would ever want to log in under a different account?
@corban-beaird I think you have it covered. Not sure a "regular" user would ever be logging in under a different account.

[BOsterbuhr]

Helm values LGTM

[kkunapuli]

super nit picky: I think there's a typo here The flag to indicates

[corban-beaird]

All good this is a solid catch! Thanks!

[tara-hpe]

LGTM

[JComins000]

codeowners says i should only need to review changes in these directories, but i don't see any changes there. approved

/webui/react/src/e2e              @determined-ai/test
/webui/react/playwright.config.ts @determined-ai/test