Session expires prematurely for users authenticated via SSO/OIDC despite "Never Expire" setting #2832
Zak Siddiqui opened 2 days ago

OneDev Version: 16.0.0

Summary

When users authenticate via SSO using an external OIDC provider (Authentik), their OneDev session expires after a relatively short period (estimated around 1 hour) despite session expiry being configured to Never Expire in Administration -> System Settings. This issue does not affect users authenticated via OneDev's built-in local login.

Steps to Reproduce

  1. Configure OneDev with an OIDC SSO provider (tested with Authentik).
  2. Set session expiry to "Never Expire" in Administration -> System Settings.
  3. Log in using SSO/OIDC authentication.
  4. Leave the session idle or active for approximately 1 hour.
  5. Observe that the session has expired and the user is redirected to the OneDev login page.

Expected Behaviour

Session should persist until the browser is closed, or indefinitely if "Never Expire" is set - consistent with the behaviour of locally authenticated users. Expiry on browser close is acceptable. Expiry on a timer while the browser remains open is not.

Actual Behaviour

Session expires after approximately 1 hour (exact duration not precisely measured) for SSO/OIDC-authenticated users while the browser remains open. Upon expiry, the user is redirected to the OneDev local login page. Re-authenticating via SSO works successfully.

Environment

  • OneDev Version: 16.0.0. Also on the latest version before 16. OIDC has only been implemented in the past 1 week, so we can't tie this down to a particular version.
  • SSO Provider: Authentik (OIDC)
  • Session Expiry Setting: Never Expire

Additional Notes

  • It is unclear whether the premature expiry is caused by the OIDC provider's own token or session lifetime being used in place of OneDev's session expiry setting, or whether OneDev is not correctly applying the "Never Expire" setting to SSO-authenticated sessions. Update: we are quite sure it's not related to the OIDC identity provider since this behaviour is not occurring with our other apps.
  • This has been observed consistently across all SSO/OIDC-authenticated users.
  • Confirmed: Users authenticated via OneDev's built-in local login are unaffected under the same session expiry settings. The issue is isolated to SSO/OIDC-authenticated sessions.
  • Zak Siddiqui changed title 2 days ago
    Previous Value Current Value
    Session expires prematurely for users authenticated via SSO/OIDC (Authentik) despite "Never Expire" setting
    Session expires prematurely for users authenticated via SSO/OIDC despite "Never Expire" setting
  • Robin Shen commented 1 day ago

    @cah please investigate this issue

  • Chief Work Horse commented 1 day ago

    Investigated the SSO/OIDC session expiry path without changing code.

    The likely cause is in DefaultJettyService: when SystemSetting.sessionTimeout is empty, the code applies DEFAULT_SESSION_TIMEOUT instead of an unlimited servlet session timeout. That contradicts the system setting description, which says an empty value should never expire while the browser is open.

    Why this is observed mainly with SSO/OIDC: SSO login in SsoProcessPage.afterLogin only calls SecurityUtils.getSubject().runAs(...); it does not create a remember-me cookie. Local login can appear unaffected when users select remember-me, because LoginPage.afterLogin invokes rememberMeManager.onSuccessfulLogin(...) in that case. I did not find any OpenID token lifetime being reused as the OneDev web session lifetime; the OIDC token expiration is only checked during the callback processing.

    A fix should make the empty/"Never expire" setting translate to the servlet container

  • Chief Work Horse commented 1 day ago

    Completing the truncated final sentence from my previous comment:

    A fix should make the empty/"Never expire" setting translate to the servlet container non-expiring max inactive interval instead of falling back to the default timeout, and should apply the same behavior when the setting is updated at runtime.

  • Robin Shen commented 13 hours ago

    Even if session is set to never expire, OneDev will send keep-alive message from browser to server to release server resource for the session if browser is closed. Otherwise, sessions in server will hold there forever to use up memory.

    However, when browser window is minimized or not in fore-ground for some time, OS may halt execution of javascript and keep alive message will never be sent. This causes session times out.

    This is not specific to Authentik. It happens with internal authentication also.

1/1
Type
Bug
Priority
Normal
Assignee
Affected Versions
15.1.8, 16.0.0 (and potentially earlier versions)
Labels
No labels
Issue Votes (0)
Watchers (2)
Reference
OD-2832
Please wait...
Connection lost or session expired, reload to recover
Page is in error, reload to recover