Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
Red Hat Satellite engineering is moving the tracking of its product development work on Satellite to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "Satellite project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs will be migrated starting at the end of May. If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "Satellite project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/SAT-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1792135

Summary: Not able to login again if session expired from keycloak
Product: Red Hat Satellite Reporter: Nikhil Kathole <nkathole>
Component: AuthenticationAssignee: Rahul Bajaj <rabajaj>
Status: CLOSED ERRATA QA Contact: Omkar Khatavkar <okhatavk>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.7.0CC: apatel, bcygan, bkearney, egolov, kgaikwad, mhulan, mmccune, okhatavk, tbrisker, vijsingh
Target Milestone: 6.8.0Keywords: Triaged
Target Release: Unused   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: foreman-2.1.0-0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-10-27 13:00:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1772026    

Description Nikhil Kathole 2020-01-17 06:45:41 UTC 
Description of problem:

User is not able to login again if session is expired via keycloak. This issue was expected to resolve via https://bugzilla.redhat.com/show_bug.cgi?id=1772026 but to track this particular scenario, raising it explicitly.
 

Version-Release number of selected component (if applicable):
Satellite 6.7 snap 8


How reproducible: always


Steps to Reproduce:
1. Integrate keycloak with satellite
2. Set session timeout for 1 minute in keycloak
3. Login keycloak user via satellite
4. wait for 1 minute to get session expired.
5. Try to login again.

Actual results:
User is not able to login again and it shows continuously error as session expired.

2020-01-17T01:41:55 [I|app|3affe10a] Started POST "/users/login" for  at 2020-01-17 01:41:55 -0500
2020-01-17T01:41:55 [I|app|3affe10a] Processing by UsersController#login as HTML
2020-01-17T01:41:55 [I|app|3affe10a]   Parameters: {"login"=>{"login"=>"admin", "password"=>"[FILTERED]"}, "authenticity_token"=>"6iOFSxNfYESujbp7EYWEQlUX+08VPePFiiGpa3vN9lMvEeFDuJjvhGqcXH5gECEEQznr0zj+qgrOle46cLPyYw=="}
2020-01-17T01:41:55 [D|app|3affe10a] Authenticated user admin against INTERNAL authentication source
2020-01-17T01:41:55 [I|app|3affe10a] User 'admin' logged in from ''
2020-01-17T01:41:55 [D|app|3affe10a] Post-login processing for admin
2020-01-17T01:41:55 [I|app|3affe10a] Redirected to https://satellite.example.com/hosts
2020-01-17T01:41:55 [I|app|3affe10a] Completed 302 Found in 58ms (ActiveRecord: 4.9ms)
2020-01-17T01:41:55 [I|app|8df28461] Started GET "/hosts" for  at 2020-01-17 01:41:55 -0500
2020-01-17T01:41:55 [I|app|8df28461] Processing by HostsController#index as HTML
2020-01-17T01:41:55 [I|app|8df28461] Session for Admin User is expired.
2020-01-17T01:41:55 [I|app|8df28461] Redirected to https://satellite.example.com/users/login
2020-01-17T01:41:55 [I|app|8df28461] Filter chain halted as :session_expiry rendered or redirected
2020-01-17T01:41:55 [I|app|8df28461] Completed 302 Found in 8ms (ActiveRecord: 2.7ms)
2020-01-17T01:41:56 [I|app|fa01788b] Started GET "/users/login" for  at 2020-01-17 01:41:56 -0500
2020-01-17T01:41:56 [I|app|fa01788b] Processing by UsersController#login as HTML
2020-01-17T01:41:56 [I|app|fa01788b]   Rendering users/login.html.erb within layouts/login
2020-01-17T01:41:56 [I|app|fa01788b]   Rendered common/_login.html.erb (0.4ms)
2020-01-17T01:41:56 [I|app|fa01788b]   Rendered users/login.html.erb within layouts/login (1.2ms)
2020-01-17T01:41:56 [I|app|fa01788b]   Rendering layouts/base.html.erb
2020-01-17T01:41:56 [I|app|fa01788b]   Rendered /opt/theforeman/tfm/root/usr/share/gems/gems/foreman_theme_satellite-5.0.1.7/app/views/foreman_theme_satellite/_theme_client_side_branding.js.erb (0.5ms)
2020-01-17T01:41:56 [I|app|fa01788b]   Rendered layouts/base.html.erb (3.4ms)
2020-01-17T01:41:56 [I|app|fa01788b] Completed 200 OK in 7ms (Views: 5.7ms | ActiveRecord: 0.0ms)


Expected results:

User should be able to login again in same browser.


Additional info:
Comment 6 Rahul Bajaj 2020-01-20 04:57:05 UTC 
Hello,

This is a known issue and already has a fix present on Github: https://github.com/theforeman/foreman/pull/7338
Waiting for upstream review on this PR. This PR completes the end-to-flow of the feature at least for the happy paths.

Thanks,
Comment 11 Bryan Kearney 2020-04-28 14:12:26 UTC 
Moving this bug to POST for triage into Satellite 6 since the upstream issue https://projects.theforeman.org/issues/28669 has been resolved.
Comment 15 Omkar Khatavkar 2020-06-04 13:33:10 UTC 
Steps Executed To Verify The Issues: 

1. Configure the Satellite use the external auth and RHSSO login 
2. Updated the Settings Idle Timeout as 2 mins
3. Now login using the RHSSO user and waited for more than the 2 mins
4. trying access the application 

Expected Result:
The satellite should time out and log out the user.

Actual Result:
Satellite is still accessible and not getting logout. This is not happening the internal users.   

So marking this Bugzilla as failed as session timeout is not working for the RHSSO Users.
Comment 16 Omkar Khatavkar 2020-06-04 13:33:34 UTC 
Steps Executed To Verify The Issues: 

1. Configure the Satellite use the external auth and RHSSO login 
2. Updated the Settings Idle Timeout as 2 mins
3. Now login using the RHSSO user and waited for more than the 2 mins
4. trying access the application 

Expected Result:
The satellite should time out and log out the user.

Actual Result:
Satellite is still accessible and not getting logout. This is not happening the internal users.   

So marking this Bugzilla as failed as session timeout is not working for the RHSSO Users.
Comment 17 Omkar Khatavkar 2020-06-16 10:55:06 UTC 
Steps Executed To Verify The Issues: 

1. Configure the Satellite use the external auth and RHSSO login with URLs as https://satellite_host/users/extlogin/redirect_uri, https://satellite_host/users/extlogin.
2. Updated the Settings Idle Timeout as 2 mins
3. Now login using the RHSSO user and waited for more than the 2 mins
4. trying access the application 

Expected Result:
The satellite should time out and log out the user.

Actual Result:
Satellite timeout for the user for both RHSSO external and normal user. Bugzilla is fixed with Satellite 6.8 Snap 4. But for this extra setting is required in RHSSO side which is needed to add additional redirect URL.

Marking this bug as verified.
Comment 21 errata-xmlrpc 2020-10-27 13:00:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Satellite 6.8 release), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:4366