Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

With OIDC enabled the main page fails after some time of inactivity #422

Open
1 of 3 tasks
SilviaAmAm opened this issue Oct 14, 2024 · 6 comments · Fixed by #437
Open
1 of 3 tasks

With OIDC enabled the main page fails after some time of inactivity #422

SilviaAmAm opened this issue Oct 14, 2024 · 6 comments · Fixed by #437
Assignees
@svenvandescheur
Labels
bug Something isn't working

Comments

@SilviaAmAm
Copy link
Collaborator

SilviaAmAm commented Oct 14, 2024
edited
Loading

Reproducing

  • Start the docker compose in backend/docker-services/keycloak with docker compose up.
  • Add this setting (to for example base.py) OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS = 0.
  • Enable OIDC. This can be done by loading the fixture oidc_config_test.json in the backend
  • Start the backend and the frontend.
  • Go to the OAB login page (http://localhost:3000/login) and login with OIDC.
  • Close the OAB tab and after a bit go to http://localhost:3000/
    This should cause a crash 🤔

To do

Frontend

  • Catch the 302 initiated by the backend and redirect the user to the login page

Backend
@SilviaAmAm SilviaAmAm added the bug Something isn't working label Oct 14, 2024
@SilviaAmAm SilviaAmAm self-assigned this Oct 14, 2024
@SilviaAmAm
Copy link
Collaborator Author

SilviaAmAm commented Oct 15, 2024
edited
Loading

This happens because the ID token has expired and this code path is hit: https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L131

The expiration interval is by default 15 min (https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/views.py#L58)

@SilviaAmAm SilviaAmAm changed the title With OIDC enabled the main page fails if you are not login With OIDC enabled the main page fails after some time of inactivity Oct 15, 2024
@SilviaAmAm
Copy link
Collaborator Author

What happens is:

  1. The landingLoader is called.
  2. This makes a call to getStatusMap:

    open-archiefbeheer/frontend/src/pages/landing/Landing.loader.tsx

    Line 21 in b03a1de

    const statusMap = await getStatusMap(orderQuery);
  3. getStatusMap makes a request to the backend

    open-archiefbeheer/frontend/src/pages/landing/Landing.loader.tsx

    Line 32 in b03a1de

    const lists = await listDestructionLists({
  4. The ID token has expired, so the backend returns a 302 to redirect to keycloak.
  5. This originates a request to the keycloak domain from the frontend. This is an unexpected Cross Origin request, so the browser (rightfully) blocks it.
  6. The frontend does not expect this error. Disaster happens, crash.

@svenvandescheur
Copy link
Contributor

What would be the correct behavior here, should we catch the exception and then redirect somewhere? How do we obtain a new id token?

@SilviaAmAm
Copy link
Collaborator Author

SilviaAmAm commented Oct 16, 2024
edited
Loading

The correct behaviour would be to redirect to the /login page I think, so that the user can log in again 🤔

Let's discuss it some times this week

@SilviaAmAm SilviaAmAm added the discuss Further information is requested label Oct 16, 2024
SilviaAmAm added a commit that referenced this issue Oct 17, 2024
@SilviaAmAm
📝 [#422] Add explanation for django session timeout config
40f6aed
SilviaAmAm added a commit that referenced this issue Oct 17, 2024
@SilviaAmAm
🔧 [#422] Add setting to configure django session timeout
9fe39b5
@SilviaAmAm SilviaAmAm mentioned this issue Oct 17, 2024
Closed
SilviaAmAm added a commit that referenced this issue Oct 17, 2024
@SilviaAmAm
🔧 [#422] Add setting to configure django session timeout
1f6df98
SilviaAmAm added a commit that referenced this issue Oct 17, 2024
@SilviaAmAm
📝 [#422] Add explanation for django session timeout config
750dc5c
SilviaAmAm added a commit that referenced this issue Oct 17, 2024
@SilviaAmAm
🔧 [#422] Add setting to configure django session timeout
371e3ca
@SilviaAmAm
Copy link
Collaborator Author

Investigated the setting OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS: https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/docs/installation.rst#validate-id-tokens-by-renewing-them
This is the setting that causes the token expiry and it defaults to 15 min.

If this and the SESSION_COOKIE_AGE are the same, then we should be okay.

SilviaAmAm added a commit that referenced this issue Oct 17, 2024
@SilviaAmAm
🩹 [#422] Make the Django session length and the OIDC session check co…
5a85878 
…nfigurable
@SilviaAmAm SilviaAmAm mentioned this issue Oct 17, 2024
Merged
SilviaAmAm added a commit that referenced this issue Oct 18, 2024
@SilviaAmAm
Merge pull request #437 from maykinmedia/fix/422-oidc-settings
d5f738f 
[#422] Make the Django session length and the OIDC session check configurable
@github-project-automation github-project-automation bot moved this from In Progress to Done in Open Archiefbeheer - Sprints Oct 18, 2024
@SilviaAmAm SilviaAmAm reopened this Oct 18, 2024
@SilviaAmAm SilviaAmAm moved this from Done to Todo in Open Archiefbeheer - Sprints Oct 18, 2024
@SilviaAmAm SilviaAmAm removed their assignment Oct 18, 2024
@SilviaAmAm SilviaAmAm removed the discuss Further information is requested label Oct 18, 2024
@sergei-maertens
Copy link
Member

FYI, in team bron and OF we opted to remove the SessionRefreshMiddleware from the backend - that might also solve this problem!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@svenvandescheur svenvandescheur

Labels
bug Something isn't working
Projects
Open Archiefbeheer - Sprints
Status: Todo
Milestone
No milestone
3 participants
@sergei-maertens @svenvandescheur @SilviaAmAm