Viewers icon indicating copy to clipboard operation
Viewers copied to clipboard

Published 20 hours ago verified publisher icon OHIF

v3 OIDC Token Refresh Issue

Open Michael-Andersen opened this issue 2 years ago • 9 comments

Running v3-stable with OIDC, if you stay on one page of the viewer long enough for your OIDC access token to expire, the page becomes unresponsive (due to authentication failures). Refreshing the page fixes the issue.

To reproduce:

  1. Run OHIF v3 with OIDC configuration.
  2. Stay on study list page past the duration of your access token lifetime (configured in your OIDC provider).
  3. Change a filter on the study list (or do any activity which should go to backend and pull up new studies)
  4. You should see the URL param change but the study list contents do not change (and you should see request failures in the console).
  5. Refreshing with same URL should correctly update the study list.

I have implemented a fix for this inside the file platform/viewer/src/utils/getUserManagerForOpenIdConnectClient.js: userManager.events.addAccessTokenExpiring(() => { userManager.signinSilent().then( user => { userAuthenticationService.setUser(user); }) })

This is working for us so I'm happy to make a pull request with this solution. But I'm not sure why the silent refresh (which should be configured by the OIDC settings and worked in v2 OHIF) isn't working? So I don't know if there's a better solution. Could be related to the cross origin isolation and issues I ran into implementing multi-tab logout: https://github.com/OHIF/Viewers/pull/2840 Might be worth taking a look at overall OIDC approach.

Tagging @swederik since I'm told you are knowledgeable about OAuth.

Michael-Andersen avatar Aug 26 '22 20:08 Michael-Andersen

@Michael-Andersen Do you know if this is still an issue? or we solved it?

sedghi avatar Oct 13 '23 14:10 sedghi

@sedghi tested with v3.7.0, modified default config to use my PACS and Keycloak instance and this is still an issue. If I leave the study list open past the access token lifetime duration and then change a filter I get redirected to /notfoundserver. If I then refresh the page the studylist loads properly and I'm still authenticated.

My fix implemented above still solves the issue for me.

Michael-Andersen avatar Oct 31 '23 15:10 Michael-Andersen

oh you have a fix too, ook thanks a lot!

sedghi avatar Oct 31 '23 16:10 sedghi

@sedghi take a look and see if its resolved

james-hanks avatar Nov 29 '23 18:11 james-hanks

I'm revisiting our Auth implementation, and from my understanding, we are currently using the OAuth implicit flow instead of the Authorization Code flow. Based on my research, the implicit flow does not involve a refresh token. Am I mistaken, @Michael-Andersen?

sedghi avatar May 27 '24 20:05 sedghi

@sedghi What you've said seems correct to me. My team are using the Authorization Code flow (response_type: 'code' in oidc config) so we need to use refresh tokens and the above fix is required. I've tested using Implicit Flow, without my above fix and it behaves as expected.

I think maybe Authorization Code flow is considered a better practice than Implicit Flow.

Another difference is that with Implicit Flow once the "Access Token Lifespan For Implicit Flow" elapses I think you will have to sign back into the viewer. This doesn't happen with Authorization Code if you implement the refresh token retrieval as above. We have additionally used a library (https://idletimer.dev/) to sign out users if all their open viewer tabs have been idle for more than 30 minutes. Probably not suitable for the OHIF repo, but that's how we have our OIDC set up.

Michael-Andersen avatar May 28 '24 17:05 Michael-Andersen

I think maybe Authorization Code flow is considered a better practice than Implicit Flow.

Absolutely, i'm moving OHIF to Authorization Code Flow this week, it was on my todo list

sedghi avatar May 28 '24 18:05 sedghi

Refer to #4101

james-hanks avatar May 29 '24 17:05 james-hanks

Fixed here https://github.com/OHIF/Viewers/pull/4234

sedghi avatar Jul 09 '24 18:07 sedghi