-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
invalid auth after 3 minutes of inactivity #411
Comments
I also updated Jenkins to Did you try
My Environment
|
Thanks for your reponse, I just reverted the plugin to version 4.303.v84089a_708ea_7, which is the version I was using before the upgrade to the latest (sorry, I mentioned the wrong version in my bug description). I also reverted the changes to the jenkins I am still on the latest Jenkins and now everything works as expected again, except for the security warning ;) Excerpt from /etc/systemd/system/jenkins.service.d/override.conf:
Could these settings cause the aforementioned problem? |
I was able to do some more exhaustive testing with different versions of the plugin and found some interesting results:
It seems like this is related to the session timeout configured in our keycloak server. I yet need to figure this out with another team, but I suspect this is set to a few minutes in my situation. This would then get me in the situation where the jenkins session is still valid but the OIDC token needs to be refreshed. Refresh works fine for pages in Jenkins that do not POST any content but apparently fails for others such as saving a job configuration. |
@edwinvanderham Have you tried enabling refresh tokens in you oidc configuration? |
@rorobig that is a good suggestion, I did not try this. Will let you know if this helps. |
I have this version of the plugin installed together with the refresh tokens configuration and i haven't seen this bug in a while, however i'm not 100% certain that this is the fix. this bug is a bit tricky to reproduce seeing how its an timing issue. |
I will let you know after business hours, it is a little bit tricky to test this while the CI is used by many other people for building our software |
I just got the issue again while using refresh tokens so unfortunately that is not the fix. Gotta look further.. |
I think this is expected. if your browser is inactive to this amount of time then session will be gone (sessionTimeout). the session timeout should be longer than the access tokens lifetime (if you want the refresh token to work). |
This may not be a refresh, but that you are bounced to the OIC server to authenticate again (refresh would be using a refresh token which will not redirect you at all in the browser). The CSRF Crumb needs the user to be the same when issuing the crumb and using the crumb (if your jenkins session has timedout then you have in effect gone from logged-in to logged-out) |
Yes it is expected that the session times out after 600 minutes, in my case it is only a few minutes after which I cannot submit a job configuration change anymore, but can refresh the main page without having to re-login Unfortunately sessionTimeout is specified in minutes and sessionEviction in seconds. See https://www.cleanwinner.com/2020/04/09/jenkins-session-timeout/ |
I would summize that the access token received from the RP has a lifetime of 3 minutes (which is perfectly reasonable). So the crumb becomes invalid - the question is then why..... The crumb contains the user ID https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.346.v10401f543622 (#394) is implying that the OP returns different cases usernames in some situation for the same user. I am wondering if the cause of the missmatch is the issue here - we are using the received username verbatim here which
I think we should pass the username through |
Jenkins and plugins versions report
Environment
What Operating System are you using (both controller, and any agents involved in the problem)?
Linux
Reproduction steps
Expected Results
Normally, the job configuration would be updated and the job overview shown
Actual Results
Instead of the job configuration begin saved, an error page is shown:
HTTP ERROR 403 No valid crumb was included in the request
URI: | /view/Playground/job/playground/job/test/configSubmit -- | -- 403 No valid crumb was included in the request StaplerIt looks like the current auth token has been invalidated after 3 minutes of inactivity. When I go back to the Jenkins main page I am still logged in, presumably because there has been a refresh request on the OIDC provider allowing my session to be valid again.
Anything else?
This behaviour started after upgrading both Jenkins from version 2.462.2 to 2.462.3 and the oic plugin from version 4.303.v84089a_708ea_7 to the latest 4.355.v3a_fb_fca_b_96d4
Maybe relevant to mention: I did not configure an issuer in the plugin configuration after the upgrade.
I see similar behaviour if I open the Jenkins System Log page (/manage/log/all), then wait for 3 minutes and then refresh the browser. This gives me the Jenkins "Oops! Not Found" page.
Are you interested in contributing a fix?
No response
The text was updated successfully, but these errors were encountered: