openaev icon indicating copy to clipboard operation
openaev copied to clipboard
Published 1 month ago verified publisher icon OpenAEV-Platform

Login error after token expired

Open RomuDeuxfois opened this issue 1 year ago • 9 comments

Description

After being logged out due to my token expiring, I get an error when I try to log in again.

Reproducible Steps

Steps to create the smallest reproducible scenario:

  1. Login
  2. Wait to be logout automatically
  3. Login again
  4. An error occured

RomuDeuxfois avatar Mar 12 '24 16:03 RomuDeuxfois

@RomuDeuxfois Is this a problem with local authentication ? OpenId auth ? All ?

guillaumejparis avatar Mar 13 '24 15:03 guillaumejparis

@guillaumejparis The problem was seen with the corporate login, testing platform.

RomuDeuxfois avatar Mar 13 '24 15:03 RomuDeuxfois

Ok so SAML

guillaumejparis avatar Mar 13 '24 16:03 guillaumejparis

This error ?

Image

guillaumejparis avatar Apr 04 '24 08:04 guillaumejparis

To test and fix this, we need to reproduce it in local with a low token timeout but I cannot do that as I don't have the rights on microsoft entra.

guillaumejparis avatar Apr 04 '24 12:04 guillaumejparis

@guillaumejparis

image

SamuelHassine avatar May 15 '24 10:05 SamuelHassine

I think the repro case is much more simpler:

  1. Login with SAML
  2. Restart the platform
  3. Reload
  4. Login again

SamuelHassine avatar May 15 '24 10:05 SamuelHassine

I can't reproduce the issue, even in the staging environment.

savacano28 avatar May 21 '24 07:05 savacano28

Same I can't reproduce on local, I see it sometimes on testing.

guillaumejparis avatar May 23 '24 07:05 guillaumejparis

So far we tried to restart the backend, destroy our jsessionid. I've already see it in local but at random times when of course I have no way to debug it. Sometimes it seems that it happens after some time when not interacting with obas but it is not systematic

guillaumejparis avatar Jun 05 '24 11:06 guillaumejparis

I managed to find a way to reproduce the issue :

  • Go to the login page
  • Wait 5 min (maybe less, I haven't found the exact time)
  • Try to log using SAML

I'm still investigating as to why this happens.

Dimfacion avatar Jun 13 '24 11:06 Dimfacion

State of this bug : From what I understand, the issue is that the response from the SAML service provider contains a param "InResponseTo" that specify the ID of the request that initiated the authentication. On a working use case, spring is supposed to check that this ID is contained in a default spring repository. For unknown reasons, that ID is not found when waiting for 5 min between going to the login page and calling the service provider. I'm still working on this bug to find a fix.

Dimfacion avatar Jun 14 '24 07:06 Dimfacion

Update on this issue : First of all, the bug happens when hitting the 120s mark. The issue is that the request is saved correctly before doing the call to the Service Provider but if the session is older than 120s, it is recreated during the callback from the Service Provider to the backend (step 6 on the schema linked to this comment) leading to an error during the validation of the initial request. I'm very much unsure why or who is the component that invalidates this session so I decided to fix the issue by recreating an HttpSession right before the initial call is made (step 3 in the schema), when we save the request and copying the attributes from the old one to the new one. This is not ideal but we spend way too much time on this and it fixes the issue. saml-single-sign-on-workflow

Dimfacion avatar Jun 17 '24 09:06 Dimfacion