Bug 1816991

Summary: Setting accessTokenInactivityTimeoutSeconds does not logout user from web console
Product: OpenShift Container Platform Reporter: Arnab Ghosh <arghosh>
Component: apiserver-authAssignee: Standa Laznicka <slaznick>
Status: CLOSED ERRATA QA Contact: pmali
Severity: low Docs Contact:
Priority: low    
Version: 4.3.zCC: aos-bugs, aygarg, mfojtik, rabdulra, slaznick, vareti, xxia
Target Milestone: ---   
Target Release: 4.5.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-08-04 18:07:10 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 3 Venkata Siva Teja Areti 2020-03-30 17:25:22 UTC 
I hope this is not claimed anywhere as it is currently not supported.
Comment 4 Arnab Ghosh 2020-03-31 05:27:12 UTC 
(In reply to vareti from comment #3)
> I hope this is not claimed anywhere as it is currently not supported.

[arghosh@arghosh ~]$ oc get crd oauths.config.openshift.io -oyaml|grep -A 20 'tokenConfig'
            tokenConfig:
              description: tokenConfig contains options for authorization and access
                tokens
              properties:
                accessTokenInactivityTimeoutSeconds:
                  description: 'accessTokenInactivityTimeoutSeconds defines the default
                    token inactivity timeout for tokens granted by any client. The
                    value represents the maximum amount of time that can occur between
                    consecutive uses of the token. Tokens become invalid if they are
                    not used within this temporal window. The user will need to acquire
                    a new token to regain access once a token times out. Valid values
                    are integer values:   x < 0  Tokens time out is enabled but tokens
                    never timeout unless configured per client (e.g. `-1`)   x = 0  Tokens
                    time out is disabled (default)   x > 0  Tokens time out if there
                    is no activity for x seconds The current minimum allowed value
                    for X is 300 (5 minutes)'
                  format: int32
                  type: integer
                accessTokenMaxAgeSeconds:
                  description: accessTokenMaxAgeSeconds defines the maximum age of
                    access tokens
                  format: int32
Comment 5 Standa Laznicka 2020-04-06 07:23:57 UTC 
That's a wrong component, oauth-apiserver hasn't shipped yet, but I understand the confusion.

This feature hasn't worked in 4.x clusters, but there is an RFE - https://issues.redhat.com/browse/RFE-88.

I'll mark the field as deprecated as it should've always been, not sure if the description change makes it to earlier openshift versions though.
Comment 10 Xingxing Xia 2020-05-07 15:37:36 UTC 
If failed QA, move to Assigned instead. "Post" is incorrect, it means the fix PR exists, but just yet still not merged.
If wanting to verify, pls check the latest payload as of wanting to verify, instead of yesterday old payload, because every hours there is newer "latest" payload with newer updates.
Comment 15 errata-xmlrpc 2020-08-04 18:07:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.5 image release advisory), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2409