Bug 1792140

Summary: Smart card session should removed when card is removed from reader
Product: Red Hat Satellite Reporter: Nikhil Kathole <nkathole>
Component: AuthenticationAssignee: satellite6-bugs <satellite6-bugs>
Status: CLOSED WONTFIX QA Contact: Omkar Khatavkar <okhatavk>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.7.0CC: apatel, bkearney, dsinglet, mhulan, okhatavk, rabajaj, satellite6-bugs, tbrisker
Target Milestone: UnspecifiedKeywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-03-06 07:12:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1772026    

Description Nikhil Kathole 2020-01-17 06:56:53 UTC 
Description of problem:

Smartcard session should removed when card is removed from reader. This issue was expected to resolve via https://bugzilla.redhat.com/show_bug.cgi?id=1772026 but to track this particular scenario, raising it explicitly.

Version-Release number of selected component (if applicable):
Satellite 6.7 snap 8


How reproducible:
always

Steps to Reproduce:
1. Integrate keycloak with satellite
2. Insert smart card in reader 
3. Visit satellite url and login 
4. Remove smart card from reader
 
Actual results:
Session still continues though card is removed from reader.

Expected results:
Session should revoked as soon as card is removed from reader. 

Additional info:
This behaviour work perfectly with keycloak and same behaviour is expected to work in case of satellite.
Comment 3 Rahul Bajaj 2020-01-20 04:59:23 UTC 
Hello,

As per discussion, we will not perform single-sign-out if the user logs out or removes card etc. The session expires only when the token expires.
Let me know if you have different thoughts on this one.

Thanks,
Comment 4 Nikhil Kathole 2020-01-20 06:02:32 UTC 
Clearing the needinfo of mine, as the expected behavior of smart card or even the working of smart card with Keycloak/RHSSO is session get immediately revoked after removal of smart card from reader. Leaving the final call for development or PMs, what behavior we would like to see in case of foreman.
Comment 5 Anurag Patel 2020-01-20 13:22:35 UTC 
The SmartCard auth workflow integration we have at the moment does not treat SmartCard eject scenario differently. We've discussed this behavior within Devs and with PM and our opinion is to get this out with the current behavior and get feedback from the field. 

I agree with you about special handling for SmartCard ejects, however more work and input from RHSSO team is required to get the behavior right. Adding Dana and BK for their information.
Comment 10 Omkar Khatavkar 2020-03-02 07:22:03 UTC 
@Anurag @Tomer @Rahul, Please provide the steps for configuring the mechanism helping users to configure to re-authenticate. Please provide the time will take to sign-out from satellite after smart card ejection.
Comment 11 Tomer Brisker 2020-03-03 12:01:38 UTC 
Session time out is configurable from settings regardless of the authentication mechanism. When session times out, the user is redirected to the login page. 
In the case of SSO, if the user is still logged into SSO they should be automatically re-authenticated. 
If after the session times out the smart card is no longer connected I would expect the SSO authentication to fail and thus not re-authenticate the user.
Comment 12 Tomer Brisker 2020-03-03 14:20:08 UTC 
Correction: in the case of keycloak, the session timeout is defined by keycloak and passed as the 'exp' section of the token. Once that timeout is reached, user will be redirected to SSO login page. If the keycard has been removed by then, they will not be able to login again.
Comment 13 Matt Pusateri 2020-03-03 22:27:09 UTC 
Since there is a technical limitation on a browser being able to recognize a CAC card ejection. For now the best we can agree to is this: Whenever the satellite session invalidates, we should look to re-authenticate. If the SSO session is invalid, we should force the user to re-auth.  This means there is an acknowledged window of opportunity between when the CAC card is removed and when the session times out that will allow access until the session times out. 

We will look to determine in the future how we can better facilitate invalidating the session when the CAC card is removed. Until then the SSO Admin will have to set a reasonable timeout for sessions for his organization and recognize the limitations of the browser for CAC removal. Alternate security precautions at the OS or Physical access level should be considered by the SSO Administrator.
Comment 14 Rahul Bajaj 2020-03-06 07:12:48 UTC 
Hello,

Matt is correct :) To clarify further, we must leave the access token and refresh token lifetime as the default values defined by Keycloak which is 5 minutes and 30 minutes respectively. Also, bear in mind that customers may change this depending on their own policies.

Tomer, I need to check if the `the default values defined by Keycloak. Also, bear in mind that customers may change this depending on their own policies.` part of your comment can be implemented or not. 

In any case, this BZ should be closed as WONTFIX. Feel free to open it, if you feel otherwise.

Thanks,
Comment 15 Rahul Bajaj 2020-03-06 07:17:40 UTC 
Hello,

Sorry, wrong sentence copied in the previous comment!

I meant:

Tomer, I need to check if the `If the keycard has been removed by then, they will not be able to login again.` part of your comment can be implemented or not. 

Thanks,