Skip to main content
Solved

K10 OpenID logout continously

M

Dear,

We have setup Kasten with OIDC integration with our Keycloak instance.

We can login in Kasten with our keycloak credentials, however, given that the Access Token has a lifetime of 5 minutes we are loged out from kasten after 5 minutes, like if the Refresh Token is not used.

 

We have configured Kasten like this:

data:

  provider-url: {{ $providerUrl | b64enc }}

  redirect-url: {{ $clusterUrlTrimmed | b64enc }}

  logout-url:   {{ $logoutUrl   | b64enc }}

  client-id:    {{ .Values.identityProvider.clientID | b64enc }}

  client-secret: {{ .Values.identityProvider.clientSecret | b64enc }}

  scopes: {{ .Values.identityProvider.scopes | b64enc }}

  usernameClaim: {{ .Values.identityProvider.usernameClaim | b64enc }}

  usernamePrefix: {{ .Values.identityProvider.usernamePrefix | b64enc }}

  groupClaim: {{ .Values.identityProvider.groupClaim | b64enc }}

 

I don’t know if this is the expected behaviour.

 

Best answer by EBrockman

Hello @Matteo.Gazzadi

At this time, we only use the lifetime of the access_token and do not use the lifetime of the refresh_token at the moment. We do have plans in the future to improve the auth-svc to be able to refresh a token before it expires.

 

Thanks

Emmanuel

View original
Chris.Childerhose
Geoff Burke
M
7 people like this
  • Chris.Childerhose
    Chris.Childerhose
  • Geoff Burke
    Geoff Burke
  • M
    Matteo.Gazzadi
  • L
    lemassacre
  • Madi.Cristil
    Madi.Cristil
  • April M
    April M
  • Y
    YYmxkZMRLUsLzBqMBbLG
Did this topic help you find an answer to your question?

12 comments

L
  • lemassacre
  • Comes here often
  • 9 comments
  • July 5, 2022

i have the same problem

M
  • Matteo.Gazzadi
  • Author
  • Comes here often
  • 4 comments
  • August 8, 2022

No one facing similar issue ?

M
Forum|alt.badge.img
  • michaelxue
  • Comes here often
  • 15 comments
  • August 17, 2022

The behavior should have been fixed by 5.0.6. Please upgrade your k10 to the latest.   

Geoff Burke
1 person likes this
  • Geoff Burke
    Geoff Burke
Geoff Burke
Forum|alt.badge.img+22
  • Geoff Burke
  • Veeam Legend, Veeam Vanguard
  • 1318 comments
  • August 18, 2022
michaelxue wrote:

The behavior should have been fixed by 5.0.6. Please upgrade your k10 to the latest.   

Good to hear. I have a keycloak test setup and was experiencing the same issues but thought that I was just not adept enough to get the keycloak settings right :) 

VMCA2024, VMCE2023, VMCE2024-SP,CKA, LFCS, PCA,TARS
M
  • Matteo.Gazzadi
  • Author
  • Comes here often
  • 4 comments
  • September 27, 2022

Tested with 5.0.7 and problem is still present

M
Forum|alt.badge.img
  • michaelxue
  • Comes here often
  • 15 comments
  • October 7, 2022
Matteo.Gazzadi wrote:

Tested with 5.0.7 and problem is still present

Hi Matteo, We may have to recreate this issue first. Can you please create a service request? I am going to work with you on the ticket.  thanks. Michael

E
Forum|alt.badge.img+1
  • EBrockman
  • Comes here often
  • 89 comments
  • Answer
  • October 7, 2022

Hello @Matteo.Gazzadi

At this time, we only use the lifetime of the access_token and do not use the lifetime of the refresh_token at the moment. We do have plans in the future to improve the auth-svc to be able to refresh a token before it expires.

 

Thanks

Emmanuel

Y

We have the same issue with the OIDC integration. This is especially difficult when building something like a policy and suddenly having to login again because the session has expired.

Y

The support just informed me about the fact that the refresh_token is not used. The feature is expected to be available early next year.

jaiganeshjk
1 person likes this
  • jaiganeshjk
    jaiganeshjk
M
Forum|alt.badge.img
  • michaelxue
  • Comes here often
  • 15 comments
  • August 7, 2023

Another possible explanation for this behavior is the token size exceeding the 4k limit. when a user belongs to numerous groups, say 100. In such cases, the token will encapsulate all these groups, leading to the size issue. A potential solution is to utilize the groupAllowList option. 

helm upgrade k10 kasten/k10 --namespace=kasten-io --reuse-values --set auth."groupAllowList[0]"=<group id>

 

T
  • Tipsmark
  • Not a newbie anymore
  • 5 comments
  • January 5, 2024

Still happening as of version 6.5.1 - insanely annoying being logged out every few minutes...

M
Forum|alt.badge.img
  • michaelxue
  • Comes here often
  • 15 comments
  • January 5, 2024

@Tipsmark please create a tech support ticket. we will test it out. 

Comment


Terms & Conditions