OIDCNG - Issue on "No session found" after some minutes

18 views
Skip to first unread message

Domingos Gonçalves

unread,
Aug 28, 2020, 1:01:05 PM8/28/20
to OpenConext Community
Hi,

we would like to have some help to understand an issue we are facing on OIDCNG.

After a successful authentication for instance on oidc-playground interface, using Oauth2 protocol, after some minutes (ex. more then 5) if we try to reuse a session we receive an error saying "No session found"

Bellow you can see the test we performed at 16:07:35 using the OIDC Playground.

Our environment:

-------------------------------------------
                   
[      papp01      ]
   
Component        [ Version | Status ]
-------------------------------------------
   
Engine           [ 6.1.3   | UP     ]
   
Engine-API       [ 6.1.3   | UP     ]
   OIDCNG          
[ 3.1.4   | UP     ]
   OIDC
-PLAYGROUND  [ 2.3.1   | UP     ]
-------------------------------------------



Log at /var/log/oidcng/oidcng.log

2020-08-28 16:00:00,005  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AccessToken
2020-08-28 16:00:00,008  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.RefreshToken
2020-08-28 16:00:00,011  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AuthorizationCode
2020-08-28 16:00:00,014  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AuthenticationRequest
2020-08-28 16:00:00,018  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.User
2020-08-28 16:00:00,020  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.UserConsent



Step 1

Started the test at 16:07:34



You can see the log on the file in attach first_submit.log

After that authentication we wait some time, maintaining the browser...



Step 2

At 16:14:40 I submitted the same form again and received the following error




You can see the log on the file in attach second_submit.log


Looking at oidcng log /var/log/oidcng/oidcng.log we can see that were deleted some AuthenticationCode and AuthenticationRequest

2020-08-28 16:15:00,006  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AccessToken
2020-08-28 16:15:00,010  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.RefreshToken
2020-08-28 16:15:00,013  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 2 instances of class oidc.model.AuthorizationCode
2020-08-28 16:15:00,016  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AuthenticationRequest
2020-08-28 16:15:00,023  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.User
2020-08-28 16:15:00,027  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.UserConsent
2020-08-28 16:30:00,006  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.AccessToken
2020-08-28 16:30:00,009  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.RefreshToken
2020-08-28 16:30:00,011  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 1 instances of class oidc.model.AuthorizationCode
2020-08-28 16:30:00,014  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 6 instances of class oidc.model.AuthenticationRequest
2020-08-28 16:30:00,027  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.User
2020-08-28 16:30:00,030  INFO [scheduling-1] oidc.secure.ResourceCleaner:82 - Deleted 0 instances of class oidc.model.UserConsent

End of test....

We saw this behavior in another situations.

Did the OIDCNG close the sessions after a few minutes?

Are this session clean controlled by the configs on /opt/oidcng/application.yml ?

server:
  session
:
    timeout
: 28800
    cookie
:
      secure
: true

spring
:
  security
:
    saml2
:
      network
:
        read
-timeout: 30000
        connect
-timeout: 15000

Any idea?

Regards,
Domingos
first_submit.log
second_submit.log

Bart Geesink

unread,
Aug 31, 2020, 3:11:05 AM8/31/20
to openc...@googlegroups.com
Hi Domingos,

The "session not started" error from Engineblock means that your browser sends an assertion to the
ACS location of Engineblock after logging in at the IdP, without a session cookie, or with an
invalid session cookie. If this problem is only happening in Google Chrome, you might encounter
issues relating to the change in behaviour regarding the SameSite cookie parameter in Google Chrome.

Some more information on that issue can be found here:
https://wiki.surfnet.nl/display/surfconextdev/Default+cookie+SameSite+attribute+behaviour+change
and here:

https://www.chromium.org/updates/same-site

Regards,
Bart

On 8/28/20 7:01 PM, Domingos Gonçalves wrote:
> Hi,
>
> we would like to have some help to understand an issue we are facing on *OIDCNG.*
>
> After a successful authentication for instance on *oidc-playground* interface, using *Oauth2*
> protocol, after some minutes (ex. more then 5) if we try to reuse a session we receive an error
> saying "*No session found*"
>
> Bellow you can see the test we performed at *16:07:35* using the *OIDC Playground*.
>
> Our environment:
>
> |
> -------------------------------------------
>                     [     papp01      ]
>    Component       [Version|Status]
> -------------------------------------------
>    Engine          [6.1.3  |UP     ]
>    Engine-API       [6.1.3  |UP     ]
>    OIDCNG           [3.1.4  |UP     ]
>    OIDC-PLAYGROUND  [2.3.1  |UP     ]
> -------------------------------------------
> |
>
>
>
> Log at */var/log/oidcng/oidcng.log*
>
> |
> 2020-08-2816:00:00,005 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AccessToken
> 2020-08-2816:00:00,008 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.RefreshToken
> 2020-08-2816:00:00,011 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AuthorizationCode
> 2020-08-2816:00:00,014 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AuthenticationRequest
> 2020-08-2816:00:00,018 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.User
> 2020-08-2816:00:00,020 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.UserConsent
> |
>
>
>
> *Step 1*
>
> Started the test at 16:07:34
>
>
>
> You can see the log on the file in attach *first_submit.log*
>
> After that authentication we wait some time, maintaining the browser...
>
>
>
> *Step 2*
>
> At 16:14:40 I submitted the same form again and received the following error
>
>
>
>
> You can see the log on the file in attach *second_submit.log*
>
>
> Looking at *oidcng* log */var/log/oidcng/oidcng.log* we can see that were deleted some
> *AuthenticationCode* and *AuthenticationRequest*
>
> |
> 2020-08-2816:15:00,006 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AccessToken
> 2020-08-2816:15:00,010 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.RefreshToken
> 2020-08-2816:15:00,013 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted2instances of
> classoidc.model.AuthorizationCode
> 2020-08-2816:15:00,016 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AuthenticationRequest
> 2020-08-2816:15:00,023 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.User
> 2020-08-2816:15:00,027 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.UserConsent
> 2020-08-2816:30:00,006 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.AccessToken
> 2020-08-2816:30:00,009 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.RefreshToken
> 2020-08-2816:30:00,011 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted1instances of
> classoidc.model.AuthorizationCode
> 2020-08-2816:30:00,014 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted6instances of
> classoidc.model.AuthenticationRequest
> 2020-08-2816:30:00,027 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.User
> 2020-08-2816:30:00,030 INFO [scheduling-1]oidc.secure.ResourceCleaner:82-Deleted0instances of
> classoidc.model.UserConsent
> |
>
> End of test....
>
> We saw this behavior in another situations.
>
> Did the *OIDCNG* close the sessions after a few minutes?
>
> Are this session clean controlled by the configs on */opt/oidcng/application.yml* ?
>
> |
> server:
>   session:
>     timeout:28800
>     cookie:
>       secure:true
>
> spring:
>   security:
>     saml2:
>       network:
>         read-timeout:30000
>         connect-timeout:15000
> |
>
> Any idea?
>
> Regards,
> Domingos
>
> --
> OpenConext - Open For Collaboration
> ---
> You received this message because you are subscribed to the Google Groups "OpenConext Community" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to
> openconext+...@googlegroups.com <mailto:openconext+...@googlegroups.com>.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/openconext/9a953cfa-b0c9-4022-b72f-6f584b5e8817o%40googlegroups.com <https://groups.google.com/d/msgid/openconext/9a953cfa-b0c9-4022-b72f-6f584b5e8817o%40googlegroups.com?utm_medium=email&utm_source=footer>.

Domingos Gonçalves

unread,
Aug 31, 2020, 10:18:38 AM8/31/20
to OpenConext Community
Hi Bart,

thanks for your tip!

Adding the "rspirep ^(set-cookie:.*) \1;\ SameSite=None" on Haproxy we don't have any more "session not started" as before.

Now it's asking a new authentication after the 2 minutes.

Best regards,

Domingos Gonçalves


Reply all
Reply to author
Forward
0 new messages