[BUG] Auth Timeout using OIDC with Gitlab #2280
Description
What is the bug?
Auth times out, and refreshes the page, loosing all state, including open dashboard or other such item after 5 minutes.
This is using OIDC via Gitlab.
How can one reproduce the bug?
- Configure OIDC using Gitlab
- Open page to Dev Tools
- Wait 5 minutes
- Try doing anything
- Page will refresh and lose unsaved state
What is the expected behavior?
Auth to not time out and refresh using the correct mechanism in OIDC
What is your host/environment?
Kubernetes, AMD64, Opensearch DB & Dashboard version 2.18.0
Do you have any additional context?
Posted originally in Slack but got no response, so heres the full message:
Got an auth timeout issue when using Gitlab for OIDC auth on Dashboards - some or all pages dont keep auth and drop me back to an auth screen, which loses any in-progress items in the page. Easiest page to trigger this on is Dev Tools, but I've had it happen on all pages ive used at some point. We've configured it as documented, and I have a feeling it is due to the expiration date claim in the openid helper.
As far as I understand, the exp there is not the access tokens, but the ID token, which can be refreshed with the access token (spec). Gitlab has that as a very low expiry for the ID, to allow for updated authorization items (as the ID token is a JWT containing claims), but the access token expiry is much longer and set on expires_in on the response. (spec)
Gitlab also doesnt require 'offline_access' to be enabled to receive a refresh token, though I think thats unrelated as the logic for that side of the auth pile just checks if the refresh token is passed at all.
Not sure how far off the mark I am, but I've been diving the logic of this for a while and this seems to be the only time where an expiry is checked