OIDCNG - Issue on "No session found" after some minutes
23 views
Skip to first unread message
Domingos Gonçalves
Aug 28, 2020, 1:01:05 PM8/28/20
to OpenConext Community
Hi,
we would like to have some help to understand an issue we are facing on OIDCNG.
After a successful authentication for instance on oidc-playground interface, using Oauth2 protocol, after some minutes (ex. more then 5) if we try to reuse a session we receive an error saying "No session found"
Bellow you can see the test we performed at 16:07:35 using the OIDC Playground.
Our environment:
-------------------------------------------
[ papp01 ]
Component [ Version | Status ]
-------------------------------------------
Engine [ 6.1.3 | UP ]
Engine-API [ 6.1.3 | UP ]
OIDCNG [ 3.1.4 | UP ]
OIDC-PLAYGROUND [ 2.3.1 | UP ]
-------------------------------------------Log at /var/log/oidcng/oidcng.log
2020-08-28 16:00:00,005 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AccessToken
2020-08-28 16:00:00,008 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.RefreshToken
2020-08-28 16:00:00,011 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AuthorizationCode
2020-08-28 16:00:00,014 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AuthenticationRequest
2020-08-28 16:00:00,018 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.User
2020-08-28 16:00:00,020 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.UserConsentStep 1
Started the test at 16:07:34
You can see the log on the file in attach first_submit.log
After that authentication we wait some time, maintaining the browser...
Step 2
At 16:14:40 I submitted the same form again and received the following error
You can see the log on the file in attach second_submit.log
Looking at oidcng log /var/log/oidcng/oidcng.log we can see that were deleted some AuthenticationCode and AuthenticationRequest
2020-08-28 16:15:00,006 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AccessToken
2020-08-28 16:15:00,010 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.RefreshToken
2020-08-28 16:15:00,013 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 2 instances of class oidc.model.AuthorizationCode
2020-08-28 16:15:00,016 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AuthenticationRequest
2020-08-28 16:15:00,023 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.User
2020-08-28 16:15:00,027 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.UserConsent
2020-08-28 16:30:00,006 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AccessToken
2020-08-28 16:30:00,009 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.RefreshToken
2020-08-28 16:30:00,011 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 1 instances of class oidc.model.AuthorizationCode
2020-08-28 16:30:00,014 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 6 instances of class oidc.model.AuthenticationRequest
2020-08-28 16:30:00,027 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.User
2020-08-28 16:30:00,030 INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.UserConsentEnd of test....
We saw this behavior in another situations.
Did the OIDCNG close the sessions after a few minutes?
Are this session clean controlled by the configs on /opt/oidcng/application.yml ?
server:
session:
timeout: 28800
cookie:
secure: true
spring:
security:
saml2:
network:
read-timeout: 30000
connect-timeout: 15000Any idea?
Regards,
Domingos
Bart Geesink
Aug 31, 2020, 3:11:05 AM8/31/20
to openc...@googlegroups.com
Hi Domingos,
The "session not started" error from Engineblock means that your browser sends an assertion to the
ACS location of Engineblock after logging in at the IdP, without a session cookie, or with an
invalid session cookie. If this problem is only happening in Google Chrome, you might encounter
issues relating to the change in behaviour regarding the SameSite cookie parameter in Google Chrome.
Some more information on that issue can be found here:
https://wiki.surfnet.nl/display/surfconextdev/Default+cookie+SameSite+attribute+behaviour+change
and here:
https://www.chromium.org/updates/same-site
Regards,
Bart
On 8/28/20 7:01 PM, Domingos Gonçalves wrote:
> Hi,
>
> we would like to have some help to understand an issue we are facing on *OIDCNG.*
>
> After a successful authentication for instance on *oidc-playground* interface, using *Oauth2*
>
> Bellow you can see the test we performed at *16:07:35* using the *OIDC Playground*.
>
> |
> 2020-08-2816:00:00,005 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AccessToken
> 2020-08-2816:00:00,008 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.RefreshToken
> 2020-08-2816:00:00,011 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AuthorizationCode
> 2020-08-2816:00:00,014 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AuthenticationRequest
> 2020-08-2816:00:00,018 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.User
> 2020-08-2816:00:00,020 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.UserConsent
> |
>
>
>
> *Step 1*
>
>
> Looking at *oidcng* log */var/log/oidcng/oidcng.log* we can see that were deleted some
> *AuthenticationCode* and *AuthenticationRequest*
>
> |
> 2020-08-2816:15:00,006 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AccessToken
> 2020-08-2816:15:00,010 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.RefreshToken
> 2020-08-2816:15:00,013 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted2instances of
> classoidc.model.AuthorizationCode
> 2020-08-2816:15:00,016 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AuthenticationRequest
> 2020-08-2816:15:00,023 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.User
> 2020-08-2816:15:00,027 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.UserConsent
> 2020-08-2816:30:00,006 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AccessToken
> 2020-08-2816:30:00,009 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.RefreshToken
> 2020-08-2816:30:00,011 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted1instances of
> classoidc.model.AuthorizationCode
> 2020-08-2816:30:00,014 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted6instances of
> classoidc.model.AuthenticationRequest
> 2020-08-2816:30:00,027 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.User
> 2020-08-2816:30:00,030 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
>
> Are this session clean controlled by the configs on */opt/oidcng/application.yml* ?
> OpenConext - Open For Collaboration
> ---
> You received this message because you are subscribed to the Google Groups "OpenConext Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> openconext+...@googlegroups.com <mailto:openconext+...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/openconext/9a953cfa-b0c9-4022-b72f-6f584b5e8817o%40googlegroups.com <https://groups.google.com/d/msgid/openconext/9a953cfa-b0c9-4022-b72f-6f584b5e8817o%40googlegroups.com?utm_medium=email&utm_source=footer>.
The "session not started" error from Engineblock means that your browser sends an assertion to the
ACS location of Engineblock after logging in at the IdP, without a session cookie, or with an
invalid session cookie. If this problem is only happening in Google Chrome, you might encounter
issues relating to the change in behaviour regarding the SameSite cookie parameter in Google Chrome.
Some more information on that issue can be found here:
https://wiki.surfnet.nl/display/surfconextdev/Default+cookie+SameSite+attribute+behaviour+change
and here:
https://www.chromium.org/updates/same-site
Regards,
Bart
On 8/28/20 7:01 PM, Domingos Gonçalves wrote:
> Hi,
>
>
> After a successful authentication for instance on *oidc-playground* interface, using *Oauth2*
> protocol, after some minutes (ex. more then 5) if we try to reuse a session we receive an error
> saying "*No session found*"
>
> Bellow you can see the test we performed at *16:07:35* using the *OIDC Playground*.
>
> Our environment:
>
> |
> -------------------------------------------
> [ papp01 ]
> Component [Version|Status]
> -------------------------------------------
> Engine [6.1.3 |UP ]
> Engine-API [6.1.3 |UP ]
> OIDCNG [3.1.4 |UP ]
> OIDC-PLAYGROUND [2.3.1 |UP ]
> -------------------------------------------
> |
>
>
>
> Log at */var/log/oidcng/oidcng.log*
> Our environment:
>
> |
> -------------------------------------------
> [ papp01 ]
> Component [Version|Status]
> -------------------------------------------
> Engine [6.1.3 |UP ]
> Engine-API [6.1.3 |UP ]
> OIDCNG [3.1.4 |UP ]
> OIDC-PLAYGROUND [2.3.1 |UP ]
> -------------------------------------------
> |
>
>
>
>
> |
> 2020-08-2816:00:00,005 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AccessToken
> 2020-08-2816:00:00,008 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.RefreshToken
> 2020-08-2816:00:00,011 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AuthorizationCode
> 2020-08-2816:00:00,014 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AuthenticationRequest
> 2020-08-2816:00:00,018 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.User
> 2020-08-2816:00:00,020 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.UserConsent
> |
>
>
>
> *Step 1*
>
> Started the test at 16:07:34
>
>
>
> You can see the log on the file in attach *first_submit.log*
> Started the test at 16:07:34
>
>
>
>
> After that authentication we wait some time, maintaining the browser...
>
>
>
> *Step 2*
> After that authentication we wait some time, maintaining the browser...
>
>
>
>
> At 16:14:40 I submitted the same form again and received the following error
>
>
>
>
> You can see the log on the file in attach *second_submit.log*
> At 16:14:40 I submitted the same form again and received the following error
>
>
>
>
>
>
> Looking at *oidcng* log */var/log/oidcng/oidcng.log* we can see that were deleted some
> *AuthenticationCode* and *AuthenticationRequest*
>
> |
> 2020-08-2816:15:00,006 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AccessToken
> 2020-08-2816:15:00,010 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.RefreshToken
> 2020-08-2816:15:00,013 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted2instances of
> classoidc.model.AuthorizationCode
> 2020-08-2816:15:00,016 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AuthenticationRequest
> 2020-08-2816:15:00,023 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.User
> 2020-08-2816:15:00,027 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.UserConsent
> 2020-08-2816:30:00,006 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AccessToken
> 2020-08-2816:30:00,009 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.RefreshToken
> 2020-08-2816:30:00,011 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted1instances of
> classoidc.model.AuthorizationCode
> 2020-08-2816:30:00,014 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted6instances of
> classoidc.model.AuthenticationRequest
> 2020-08-2816:30:00,027 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.User
> 2020-08-2816:30:00,030 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.UserConsent
> |
>
> End of test....
>
> We saw this behavior in another situations.
>
> Did the *OIDCNG* close the sessions after a few minutes?
> |
>
> End of test....
>
> We saw this behavior in another situations.
>
>
> Are this session clean controlled by the configs on */opt/oidcng/application.yml* ?
>
> |
> server:
> session:
> timeout:28800
> cookie:
> secure:true
>
> spring:
> security:
> saml2:
> network:
> read-timeout:30000
> connect-timeout:15000
> |
>
> Any idea?
>
> Regards,
> Domingos
>
> --
> |
> server:
> session:
> timeout:28800
> cookie:
> secure:true
>
> spring:
> security:
> saml2:
> network:
> read-timeout:30000
> connect-timeout:15000
> |
>
> Any idea?
>
> Regards,
> Domingos
>
> OpenConext - Open For Collaboration
> ---
> You received this message because you are subscribed to the Google Groups "OpenConext Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> openconext+...@googlegroups.com <mailto:openconext+...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/openconext/9a953cfa-b0c9-4022-b72f-6f584b5e8817o%40googlegroups.com <https://groups.google.com/d/msgid/openconext/9a953cfa-b0c9-4022-b72f-6f584b5e8817o%40googlegroups.com?utm_medium=email&utm_source=footer>.
Domingos Gonçalves
Aug 31, 2020, 10:18:38 AM8/31/20
to OpenConext Community
Hi Bart,
thanks for your tip!
Adding the "
rspirep ^(set-cookie:.*) \1;\ SameSite=None" on Haproxy we don't have any more "session not started" as before.Now it's asking a new authentication after the 2 minutes.
Best regards,
Domingos Gonçalves
Reply all
Reply to author
Forward
0 new messages