• EN
Solved

K10 OpenID logout continously

M
Userlevel 3

Dear,

We have setup Kasten with OIDC integration with our Keycloak instance.

We can login in Kasten with our keycloak credentials, however, given that the Access Token has a lifetime of 5 minutes we are loged out from kasten after 5 minutes, like if the Refresh Token is not used.

 

We have configured Kasten like this:

data:

  provider-url: {{ $providerUrl | b64enc }}

  redirect-url: {{ $clusterUrlTrimmed | b64enc }}

  logout-url:   {{ $logoutUrl   | b64enc }}

  client-id:    {{ .Values.identityProvider.clientID | b64enc }}

  client-secret: {{ .Values.identityProvider.clientSecret | b64enc }}

  scopes: {{ .Values.identityProvider.scopes | b64enc }}

  usernameClaim: {{ .Values.identityProvider.usernameClaim | b64enc }}

  usernamePrefix: {{ .Values.identityProvider.usernamePrefix | b64enc }}

  groupClaim: {{ .Values.identityProvider.groupClaim | b64enc }}

 

I don’t know if this is the expected behaviour.

 

icon

Best answer by EBrockman 7 October 2022, 19:47

View original

12 comments

M
Badge

The behavior should have been fixed by 5.0.6. Please upgrade your k10 to the latest.   

Y
Userlevel 2

The support just informed me about the fact that the refresh_token is not used. The feature is expected to be available early next year.

Geoff Burke
Userlevel 7
Badge +22

The behavior should have been fixed by 5.0.6. Please upgrade your k10 to the latest.   

Good to hear. I have a keycloak test setup and was experiencing the same issues but thought that I was just not adept enough to get the keycloak settings right :) 

VMCA2022, VMCE2023, CKA, CKAD, KCNA, LFCS, PCA,TARS
T

Still happening as of version 6.5.1 - insanely annoying being logged out every few minutes...

M
Badge

@Tipsmark please create a tech support ticket. we will test it out. 

M
Badge

Another possible explanation for this behavior is the token size exceeding the 4k limit. when a user belongs to numerous groups, say 100. In such cases, the token will encapsulate all these groups, leading to the size issue. A potential solution is to utilize the groupAllowList option. 

helm upgrade k10 kasten/k10 --namespace=kasten-io --reuse-values --set auth."groupAllowList[0]"=<group id>

 

M
Badge

Tested with 5.0.7 and problem is still present

Hi Matteo, We may have to recreate this issue first. Can you please create a service request? I am going to work with you on the ticket.  thanks. Michael

E
Userlevel 3
Badge +1

Hello @Matteo.Gazzadi

At this time, we only use the lifetime of the access_token and do not use the lifetime of the refresh_token at the moment. We do have plans in the future to improve the auth-svc to be able to refresh a token before it expires.

 

Thanks

Emmanuel

M
Userlevel 3

Tested with 5.0.7 and problem is still present

M
Userlevel 3

No one facing similar issue ?

L
Userlevel 2

i have the same problem

Y
Userlevel 2

We have the same issue with the OIDC integration. This is especially difficult when building something like a policy and suddenly having to login again because the session has expired.

Comment


Terms & Conditions