Solved

K10 OpenID logout continously


Userlevel 3

Dear,

We have setup Kasten with OIDC integration with our Keycloak instance.

We can login in Kasten with our keycloak credentials, however, given that the Access Token has a lifetime of 5 minutes we are loged out from kasten after 5 minutes, like if the Refresh Token is not used.

 

We have configured Kasten like this:

data:

  provider-url: {{ $providerUrl | b64enc }}

  redirect-url: {{ $clusterUrlTrimmed | b64enc }}

  logout-url:   {{ $logoutUrl   | b64enc }}

  client-id:    {{ .Values.identityProvider.clientID | b64enc }}

  client-secret: {{ .Values.identityProvider.clientSecret | b64enc }}

  scopes: {{ .Values.identityProvider.scopes | b64enc }}

  usernameClaim: {{ .Values.identityProvider.usernameClaim | b64enc }}

  usernamePrefix: {{ .Values.identityProvider.usernamePrefix | b64enc }}

  groupClaim: {{ .Values.identityProvider.groupClaim | b64enc }}

 

I don’t know if this is the expected behaviour.

 

icon

Best answer by EBrockman 7 October 2022, 19:47

View original

12 comments

Userlevel 2

i have the same problem

Userlevel 3

No one facing similar issue ?

Badge

The behavior should have been fixed by 5.0.6. Please upgrade your k10 to the latest.   

Userlevel 7
Badge +22

The behavior should have been fixed by 5.0.6. Please upgrade your k10 to the latest.   

Good to hear. I have a keycloak test setup and was experiencing the same issues but thought that I was just not adept enough to get the keycloak settings right :) 

Userlevel 3

Tested with 5.0.7 and problem is still present

Badge

Tested with 5.0.7 and problem is still present

Hi Matteo, We may have to recreate this issue first. Can you please create a service request? I am going to work with you on the ticket.  thanks. Michael

Userlevel 3
Badge +1

Hello @Matteo.Gazzadi

At this time, we only use the lifetime of the access_token and do not use the lifetime of the refresh_token at the moment. We do have plans in the future to improve the auth-svc to be able to refresh a token before it expires.

 

Thanks

Emmanuel

Userlevel 2

We have the same issue with the OIDC integration. This is especially difficult when building something like a policy and suddenly having to login again because the session has expired.

Userlevel 2

The support just informed me about the fact that the refresh_token is not used. The feature is expected to be available early next year.

Badge

Another possible explanation for this behavior is the token size exceeding the 4k limit. when a user belongs to numerous groups, say 100. In such cases, the token will encapsulate all these groups, leading to the size issue. A potential solution is to utilize the groupAllowList option. 

helm upgrade k10 kasten/k10 --namespace=kasten-io --reuse-values --set auth."groupAllowList[0]"=<group id>

 

Still happening as of version 6.5.1 - insanely annoying being logged out every few minutes...

Badge

@Tipsmark please create a tech support ticket. we will test it out. 

Comment