Users need to reload the website if they are logged out of OpenID

[hashworks]

Expected Behavior

If I'm logged into Console with an OpenID provider and my OIDC expires, I should be redirected to the login page.

Current Behavior

Console stops displaying things, since every API returns 403 Forbidden. I need to be aware of this behavior and reload the website, which then results in a login page.

Possible Solution

It's not possible to redirect to log in when any API returns 403 Forbidden, since my user might just not have the permission to do so. Therefore, Console periodically needs to check an API that tells it if the OIDC token of the user is expired.

Steps to Reproduce (for bugs)

1. Configure MinIO to support an OpenID provider, f.e. Keycloak
2. Log in to Console with the OpenID provider
3. Keep the browser tab open, due to OIDC tokens are not refreshed #2643 the token will expire
4. Try to use Console, nothing will work
5. Reload the tab, notice the redirect to the login page

Your Environment

• MinIO version used (minio --version): 2023-09-20T22-49-55Z (commit-id=df3623d2a25bb8285393eacc46c376c2735be86f)
• Operating System and version (uname -a): Linux foo 6.5.3-arch1-1

[bpedersen2]

See also minio/minio#17902

currently the console does not implement a refresh and/or silent sso workflow.

In my opinion, the most correct behaviour for the console would be to:

1. implement a refresh/silent sso or detect expired sessions and render the root page
2. the backend should validate auth_time and/or use max_age (see e.g. [1]) against MAX_BROWSER_SESSION_DURATION

[1] https://auth0.com/docs/authenticate/login/max-age-reauthentication

[cesnietor]

@hashworks is this a duplicate of this #2643?
We have it in the queue.

[cesnietor]

closing as duplicate of #2643. Please reopen if this is not the case.