Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] Missing background refresh of OIDC access_token (for /app/dashboards) #2025

Open
briend opened this issue Jul 10, 2024 · 5 comments
Open
Labels
bug Something isn't working triaged

Comments

@briend
Copy link

briend commented Jul 10, 2024

What is the bug?

Most of our auth issues went away with #1966 in opensearch 2.15.0, however if instead of the discover (/app/data-explorer) or visualize (/app/visualize) UI, you use the dashboards UI (/app/dashboards), you should see the same refresh issue with tokens expiring. We use gitlab for OIDC which has a default 2 minutes lifetime, that is currently not easily configurable: https://gitlab.com/gitlab-org/gitlab/-/issues/377654. This short lifetime might be making the problem more obvious.

How can one reproduce the bug?
Steps to reproduce the behavior:

  1. set OIDC token expiration to 2 minutes
  2. visit an opensearch dashboard (/app/dashboards) (not the discover or visualize interfaces)
  3. wait about 5-10 minutes and you may be redirected to the login page to log in again via oidc when trying to interact with the page.

What is the expected behavior?
Viewing a dashboard for more than 10-20 minutes should not let the token expire.

What is your host/environment?

  • OS: kubernetes/gitlab
  • Version 2.15.0

Do you have any additional context?

error message:


Error: Response Error: 400 Bad Request
    at internals.Client._shortcut (/usr/share/opensearch-dashboards/plugins/securityDashboards/node_modules/@hapi/wreck/lib/index.js:569:15)
    at processTicksAndRejections (node:internal/process/task_queues:95:5)
    at callTokenEndpoint (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/openid/helper.ts:88:25)
    at OpenIdAuthentication.isValidCookie (/usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/openid/openid_auth.ts:287:38)
    at /usr/share/opensearch-dashboards/plugins/securityDashboards/server/auth/types/authentication_type.ts:145:24
    at Object.interceptAuth [as authenticate] (/usr/share/opensearch-dashboards/src/core/server/http/lifecycle/auth.js:116:22)
    at exports.Manager.execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/toolkit.js:60:28)
    at module.exports.internals.Auth._authenticate (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/auth.js:273:30)
    at Request._lifecycle (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:371:32)
    at Request._execute (/usr/share/opensearch-dashboards/node_modules/@hapi/hapi/lib/request.js:281:9)

'www-authenticate': 'Bearer realm="Doorkeeper", error="invalid_grant", error_description="The provided authorization grant is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client."',

If you open two browser tabs/windows, one with discover (app/data-explorer) and one with dashboards, the discover window/tab will keep the token refreshed and you won't have the problem with dashboards

@cwperks
Copy link
Member

cwperks commented Jul 15, 2024

[Triage] Thank you for filing this issue with detailed steps how to reproduce! Marking this as triaged.

@v-miguel
Copy link

v-miguel commented Dec 4, 2024

Hi,

I'm also experiencing the same issue.
@briend did you find any solution for this?

@briend
Copy link
Author

briend commented Dec 4, 2024

Hi,

I'm also experiencing the same issue. @briend did you find any solution for this?

No solution yet. Did you by chance try 2.18.0? I haven't tested that yet, but I didn't see much in the release notes to suggest it might be fixed. I'm still seeing the issue in 2.15.0

@v-miguel
Copy link

v-miguel commented Dec 4, 2024

Yes, already updated my opensearch infra to version 2.18.0 but the problem persists. Also tried some adjustments form #1522 unfortunately without success.

@TBSliver
Copy link

TBSliver commented Jan 9, 2025

Having similar/same issue here, using Gitlab OIDC for auth - and cant use the 'offline_access' method as that isnt a supported scope on gitlab (as mentioned in #2114). This is under 2.18.0.

Also seeing a similar happening on 2.17.1, but this time with a http basic login - I would guess this is unrelated though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working triaged
Projects
None yet
Development

No branches or pull requests

4 participants