-
Previous Value Current Value Session expires prematurely for users authenticated via SSO/OIDC (Authentik) despite "Never Expire" setting
Session expires prematurely for users authenticated via SSO/OIDC despite "Never Expire" setting
-
@cah please investigate this issue
-
Investigated the SSO/OIDC session expiry path without changing code.
The likely cause is in
DefaultJettyService: whenSystemSetting.sessionTimeoutis empty, the code appliesDEFAULT_SESSION_TIMEOUTinstead of an unlimited servlet session timeout. That contradicts the system setting description, which says an empty value should never expire while the browser is open.Why this is observed mainly with SSO/OIDC: SSO login in
SsoProcessPage.afterLoginonly callsSecurityUtils.getSubject().runAs(...); it does not create a remember-me cookie. Local login can appear unaffected when users select remember-me, becauseLoginPage.afterLogininvokesrememberMeManager.onSuccessfulLogin(...)in that case. I did not find any OpenID token lifetime being reused as the OneDev web session lifetime; the OIDC token expiration is only checked during the callback processing.A fix should make the empty/"Never expire" setting translate to the servlet container
-
Completing the truncated final sentence from my previous comment:
A fix should make the empty/"Never expire" setting translate to the servlet container non-expiring max inactive interval instead of falling back to the default timeout, and should apply the same behavior when the setting is updated at runtime.
-
Even if session is set to never expire, OneDev will send keep-alive message from browser to server to release server resource for the session if browser is closed. Otherwise, sessions in server will hold there forever to use up memory.
However, when browser window is minimized or not in fore-ground for some time, OS may halt execution of javascript and keep alive message will never be sent. This causes session times out.
This is not specific to Authentik. It happens with internal authentication also.
| Type |
Bug
|
| Priority |
Normal
|
| Assignee | |
| Affected Versions |
15.1.8, 16.0.0 (and potentially earlier versions)
|
| Labels |
No labels
|
OneDev Version: 16.0.0
Summary
When users authenticate via SSO using an external OIDC provider (Authentik), their OneDev session expires after a relatively short period (estimated around 1 hour) despite session expiry being configured to Never Expire in Administration -> System Settings. This issue does not affect users authenticated via OneDev's built-in local login.
Steps to Reproduce
Expected Behaviour
Session should persist until the browser is closed, or indefinitely if "Never Expire" is set - consistent with the behaviour of locally authenticated users. Expiry on browser close is acceptable. Expiry on a timer while the browser remains open is not.
Actual Behaviour
Session expires after approximately 1 hour (exact duration not precisely measured) for SSO/OIDC-authenticated users while the browser remains open. Upon expiry, the user is redirected to the OneDev local login page. Re-authenticating via SSO works successfully.
Environment
Additional Notes