Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Session Timeout not working when integrating with oic auth plugin #380

Open
zhassanpixel opened this issue Aug 28, 2024 · 9 comments
Open
Labels

Comments

@zhassanpixel
Copy link

Jenkins and plugins versions report

Environment
Jenkins: 2.401.2
OS: Linux - 6.8.0-1014-aws
Java: 11.0.24 - Ubuntu (OpenJDK 64-Bit Server VM)
---
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
bootstrap5-api:5.3.2-3
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1128.v717130d4f816
build-timeout:1.31
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.2
cloudbees-folder:6.858.v898218f3609d
commons-lang3-api:3.16.0-82.ve2b_07d659d95
commons-text-api:1.11.0-94.v3e1f4a_926e49
credentials:1319.v7eb_51b_3a_c97b_
credentials-binding:642.v737c34dea_6c2
display-url-api:2.204.vf6fddd8a_8b_e9
durable-task:568.v8fb_5c57e8417
echarts-api:5.4.0-7
email-ext:2.105
font-awesome-api:6.5.1-2
generic-webhook-trigger:2.0.1
git:5.2.1
git-client:4.6.0
github:1.37.3.1
github-api:1.321-468.v6a_9f5f2d5a_7e
github-branch-source:1771.v59b_6a_fa_1b_89e
gradle:2.12
instance-identity:185.v303dc7c645f9
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.15.3-363.v82c51b_de9f60
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
jquery3-api:3.7.1-1
junit:1265.v65b_14fa_f12f0
ldap:725.v3cb_b_711b_1a_ef
mailer:470.vc91f60c5d8e2
matrix-auth:3.2.2
matrix-project:818.v7eb_e657db_924
mina-sshd-api-common:2.12.1-101.v85b_e08b_780dd
mina-sshd-api-core:2.12.1-101.v85b_e08b_780dd
oic-auth:4.290.v6f5e8da_e98b_2
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
pam-auth:1.11
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github-lib:61.v629f2cc41d83
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:689.veec561a_dee13
pipeline-input-step:477.v339683a_8d55e
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2150.v4cfd8916915c
pipeline-model-definition:2.2150.v4cfd8916915c
pipeline-model-extensions:2.2150.v4cfd8916915c
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2150.v4cfd8916915c
pipeline-stage-view:2.34
plain-credentials:182.v468b_97b_9dcb_8
plugin-util-api:3.8.0
resource-disposer:0.23
role-strategy:689.v731678c3e0eb_
scm-api:676.v886669a_199a_a_
script-security:1354.va_70a_fe478c7f
snakeyaml-api:2.2-121.v5a_68b_9300b_d4
ssh-credentials:337.v395d2403ccd4
ssh-slaves:2.948.vb_8050d697fec
structs:325.vcb_307d2a_2782
timestamper:1.27
token-macro:384.vf35b_f26814ec
trilead-api:2.84.86.vf9c960e9b_458
variant:60.v7290fc0eb_b_cd
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1291.v51fd2a_625da_7
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3837.v305192405b_c0
workflow-durable-task-step:1331.vc8c2fed35334
workflow-job:1326.ve643e00e9220
workflow-multibranch:770.v1a_d0708dd1f6
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:920.v59f71ce16f04
ws-cleanup:0.46

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 24.04 LTS

Reproduction steps

1- set the JENKINS_OPTS session timeout (JENKINS_OPTS=--sessionTimeout=2 --sessionEviction=4)
2- login and wait 4 minutes it should log you out
3- integrate with oic-auth plugin

Expected Results

it should log you out after 4 minutes

Actual Results

it keeps the session open for almost a day

Anything else?

No response

Are you interested in contributing a fix?

No response

@michael-doubez
Copy link
Contributor

michael-doubez commented Aug 28, 2024

Those parameters handle jetty session timeout.
I don t think the plugin has any impact.

Can you run the following in console ?

import org.kohsuke.stapler.Stapler;
Stapler.getCurrentRequest().getSession().getMaxInactiveInterval() / 60

@zhassanpixel
Copy link
Author

zhassanpixel commented Aug 29, 2024

HYG
Result: Session@6d5b15a7{id=node01rshgy07xth66ukyfo5uj3pyg13791,x=node01rshgy07xth66ukyfo5uj3pyg13791.node0,req=1,res=true}

@michael-doubez
Copy link
Contributor

michael-doubez commented Aug 29, 2024

@zhassanpixel Sorry. Wrong copy/paste on my phone :(

The goal is to have the stapler configuration

@zhassanpixel
Copy link
Author

Result: 2

but since i installed the plugin it doesn't log me out .

@rsareth
Copy link

rsareth commented Sep 1, 2024

I faced an issue on it too. After the timeout, people face the HTTP 403 error page, so they need to clean their cookies to be able to log in. I had to downgrade the plugin

@eva-mueller-coremedia
Copy link
Contributor

eva-mueller-coremedia commented Sep 9, 2024

I faced an issue on it too. After the timeout, people face the HTTP 403 error page, so they need to clean their cookies to be able to log in. I had to downgrade the plugin

I cannot confirm this behaviour. Configuration

  • oic-auth plugin connected to AWS Cognito
  • JENKINS_OPTS | --sessionTimeout=2 --sessionEviction=4
  • Login via Cognito, wait for 5 minutes
    • => No logout but also no 403

I need to update my comment. I observe the following behaviour, when trying to logout:

2024-09-09T15:01:28.005193335Z 2024-09-09 15:01:27.997+0000 [id=95]     WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 9998156e-b366-4a5a-b5b9-9400f9dac087
2024-09-09T15:01:28.005227668Z java.lang.IllegalArgumentException: User must not be null
2024-09-09T15:01:28.005230626Z  at org.springframework.util.Assert.notNull(Assert.java:201)
2024-09-09T15:01:28.005232918Z  at PluginClassLoader for cm-oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm.doLogout(OicSecurityRealm.java:1294)
2024-09-09T15:01:28.005235085Z  at jenkins.model.Jenkins.doLogout(Jenkins.java:4417)

See also: https://github.com/jenkinsci/oic-auth-plugin/blob/4.331.vd925b_f76f3a_c/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L1268

Additionally, I can't use the script console anymore
Screenshot 2024-09-09 at 17 01 05

This behaviour vanishes, when I increase the session options...

@jtnord
Copy link
Member

jtnord commented Sep 17, 2024

at PluginClassLoader for cm-oic-auth

@eva-mueller-coremedia have you forked this plugin ? the plugin id does not match.

As for the logout - this is somewhat expected as you where not actually logged in (as the session has expired).
given the plugin can be configured to log out the user from the upstream idp on logout, silently hiding the fact they are not correctly logged out seems wrong (although throwing an exception and erroring with something a regular user can not see) is also not a good UX.

Something at least smells not great around session/cookie authorisation/expiration.

@eva-mueller-coremedia
Copy link
Contributor

at PluginClassLoader for cm-oic-auth

@eva-mueller-coremedia have you forked this plugin ? the plugin id does not match.

Yes, I forked the plugin since I need to make some changes due to non-standard-conform Cognito logout behaviour 😢 (see #241)

@jimsnab
Copy link

jimsnab commented Dec 17, 2024

Although I haven't gotten this to work either, I want to point out that sessionEviction units are seconds according to this article.

A fix was made in this area last week.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants