Description of problem: External Auth - FreeIPA - Self-service UI doesn't time out when session timeout is reached Version-Release number of selected component (if applicable): 5.8.0.7 Need to verify if earlier releases. How reproducible: Steps to Reproduce: 1.Configure External auth for FreeIPA via appliance_console 2.In Web UI, change session timeout to 5 mins 3. Log into self service UI 4. Wait 5 minutes, Session doesn't expire Actual results: Session doesn't expire Expected results: Session should expire when session timeout is reached. Additional info:
I make assumption that when you say > 2.In Web UI, change session timeout to 5 mins It means to go to the Configuration/Settings/Server/Advanced and change :session: :timeout: from 3600 to 300. Please correct me if wrong.
Anyway, the service you does not have a session in the same way traditional classic ui has. In order to achieve the same result with the service-ui, users are adviced to modify: token_ttl value in the Configuration/Settings/Server/Advanced.
Anyway, this does not seem to be related to external-auth/freeipa.
Anyway, the service ui does not expire anyway. There is a bug in the service ui javascript codebase. The service-ui sends periodically requests to /api?attributes=authorization without the X-Auth-Skip-Token-Renewal=True header. That is a security concern.
Anyway, I wish we had flipped logic from X-Auth-Skip-Token-Renewal=True to something along the lines of X-Auth-Allow-Token-Renewal=True Otherwise, there is a risk for things to slip through cracks every year.
GH PR https://github.com/ManageIQ/manageiq-ui-service/pull/678
Also: https://github.com/ManageIQ/manageiq-ui-service/pull/731
Simon, We still seem to have a problem with the SUI not timing out. I have watched the http requests happening in my console and the SUI is not getting any type of response that would warrant us kicking a user out. All our polling requests are passing that header you had told us to put in place. What is supposed to happen ? My guess was that if I had a request come through with that header on it after the 5 min timeout would cause the http request to come back as 401 or something other than 200. Can you explain to me what is actually supposed to happen from the API side? Thanks in advance Chris
Chris, Testing on master, we still have SUI sending periodic requests to /api?attributes=authorization without the X-Auth-Allow-Token-Renewal=true The full requests headers were: Host: localhost:3000 User-Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0 Accept: application/json, text/plain, */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate x-auth-token: 36e6196e88c86f48d23a5ff9b84949b7 X-Auth-Skip-Token-Renewal: True X-Miq-Group: EvmGroup-super_administrator Referer: http://localhost:3000/ui/service/ Cookie: _vmdb_session=b33e356525f2a5f4d9c6577ecd9a6acd; __profilin=p%3Dt Connection: keep-alive You need to wait several minutes to see this request now. But it still happens.
> without the > > X-Auth-Allow-Token-Renewal=true Sorry ,typo. I meant > without the > > X-Auth-Skip-Token-Renewal=true The former only exists in an ideal world. We have to work with the latter. Sorry for confusion.
The problem seems to be missing quotes (') around the true at https://github.com/ManageIQ/manageiq-ui-service/blob/b114b90a26e63c4ead172c4c72e93fe565579c5c/client/app/core/session.service.js#L72 Without the quotes, true is type boolean. With quotes, 'true' is string.
Tried this on my local instance and it is still not timing the session out. I have checked my backend settings and it should be timing out. Any more suggestions?
We have added the X-Auth-Skip-Token-Renewal=true to our polling menu and our long polling http requests. I have tested this locally and we still are not getting logged out when we expect to.
Created attachment 1279412 [details] Sample of the header we are sending I attached a sample of the header we are sending. I have tried it like X-Auth-Skip-Token-Renewal:'true' and also X-Auth-Skip-Token-Renewal:true Both of them don't change that we don't get logged out when we should.
Confirmed that we are sending the correct header: X-Auth-Skip-Token-Renewal='true' From what we can tell we are sending everything we need to over, but it doesn't appear to log us out. Sending to auth team to investigate (along with the Z-stream clone)
Chris, > Confirmed that we are sending the correct header: > > X-Auth-Skip-Token-Renewal='true' This is not accurate. See comment 15. Alternatively, you can take a look at todays' master https://github.com/ManageIQ/manageiq-ui-service/blob/b114b90a26e63c4ead172c4c72e93fe565579c5c/client/app/core/session.service.js#L72
Chris, I am sorry, I need to flip it back to the service-ui. That's the only right thing in this situation. I'll try to describe at lenght, why we need to fix this in service ui. Before we start, there is one thing I should highlight, please note that I am not expert on service ui or authentication, I am here just trying to help by gluing all the stuff together. I was learning new stuff today while debugging this. I must say, I enjoyed it, so feel free to ping me in future if you happen to run into something difficult. Here are the exact steps I did to verify that authentication mechanism is not to blame. - I am using manageiq-ui-service todays' upstream master. (commit 81fee0512baacb55dbebe183821b8f12aea64226) - I have patched https://github.com/ManageIQ/manageiq-ui-service/blob/b114b90a26e63c4ead172c4c72e93fe565579c5c/client/app/core/session.service.js#L72 - I did the `yarn; yarn build` magic - I started rails server in manageiq repository - I modified session.timeout=120 - I stoped rails server in manageiq repository - and started it again - then I logged in to the service ui - I went reading about borked imap at gmail for 2 minutes - I got redirected to http://localhost:3000/ui/service/login?timeout Then, I increased the timout to 600. And again, I got logged out. Everything we saw so far implies we just need to patch service-ui as I suggested in comment 15. Also please note that http://localhost:3000/ui/service/login?timeout gives 500 on developer setup.
PR: https://github.com/ManageIQ/manageiq-ui-service/pull/771
GH PR https://github.com/ManageIQ/manageiq-ui-service/pull/773
Verified on 5.9.0.11 Ext Auth FreeIPA/AD/OpenLDAP