s3645t14n commented 3 years ago

Hello,

we have a geo-informational system running and we got an issue with user sessions unexpectedly ending when the user is actively working with maps.

I'm a system administrator so I dont have direct access to source code, but in the network logs I see that the system is apparently using implicit flow with token life around 4 min and silent_renew.html running every 3 seconds.

Usually everything works fine, but when user loads some maps, network gets flooded with .png tiles requests. If token happens to expire in the same time there is almost 100% probability that it fails to renew and session will close (it actually can close even if token isn't yet expired, just because of loading excessive amount of maps and flooding network with requests). In console log I see this:

10:24:53.231 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:24:55.439 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:24:57.626 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:24:59.792 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:25:01.989 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:25:04.154 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:25:06.328 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:25:08.481 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:25:12.012 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:25:27.580 oidc-client.min.js:3 querySessionStatus success for sub:  187f87b2-0246-4c9b-965c-9226667b0d79
10:25:30.130 oidc-client.min.js:3 Frame window timed out
t.error @ oidc-client.min.js:3
t._error @ oidc-client.min.js:77
t._timeout @ oidc-client.min.js:77
setTimeout (async)
t.navigate @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e._signinStart @ oidc-client.min.js:77
e._signin @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e.signinSilent @ oidc-client.min.js:77
t._tokenExpiring @ oidc-client.min.js:78
t.raise @ oidc-client.min.js:78
e._callback @ oidc-client.min.js:78
setInterval (async)
(anonymous) @ oidc-client.min.js:4
e @ oidc-client.min.js:4
e.init @ oidc-client.min.js:78
t.load @ oidc-client.min.js:78
e.load @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e._signinEnd @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e._signin @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e.signinSilent @ oidc-client.min.js:77
t._tokenExpiring @ oidc-client.min.js:78
t.raise @ oidc-client.min.js:78
e._callback @ oidc-client.min.js:78
setInterval (async)
(anonymous) @ oidc-client.min.js:4
e @ oidc-client.min.js:4
e.init @ oidc-client.min.js:78
t.load @ oidc-client.min.js:78
e.load @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e.getUser @ oidc-client.min.js:77
(anonymous) @ (index):450
10:25:30.131 oidc-client.min.js:3 Error from signinSilent: Frame window timed out
t.error @ oidc-client.min.js:3
(anonymous) @ oidc-client.min.js:78
Promise.then (async)
t._tokenExpiring @ oidc-client.min.js:78
t.raise @ oidc-client.min.js:78
e._callback @ oidc-client.min.js:78
setInterval (async)
(anonymous) @ oidc-client.min.js:4
e @ oidc-client.min.js:4
e.init @ oidc-client.min.js:78
t.load @ oidc-client.min.js:78
e.load @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e._signinEnd @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e._signin @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e.signinSilent @ oidc-client.min.js:77
t._tokenExpiring @ oidc-client.min.js:78
t.raise @ oidc-client.min.js:78
e._callback @ oidc-client.min.js:78
setInterval (async)
(anonymous) @ oidc-client.min.js:4
e @ oidc-client.min.js:4
e.init @ oidc-client.min.js:78
t.load @ oidc-client.min.js:78
e.load @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e.getUser @ oidc-client.min.js:77
(anonymous) @ (index):450
10:25:30.131 (index):393 silent renew error Frame window timed out
10:25:30.144 oidc-client.min.js:3 Frame window timed out
t.error @ oidc-client.min.js:3
t._error @ oidc-client.min.js:77
t._timeout @ oidc-client.min.js:77
setTimeout (async)
t.navigate @ oidc-client.min.js:77
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
(anonymous) @ oidc-client.min.js:77
Promise.then (async)
e._signinStart @ oidc-client.min.js:77
e.querySessionStatus @ oidc-client.min.js:77
t._callback @ oidc-client.min.js:78
t._message @ oidc-client.min.js:78
postMessage (async)
(anonymous) @ checksession:296
postMessage (async)
(anonymous) @ oidc-client.min.js:78
setInterval (async)
t.start @ oidc-client.min.js:78
(anonymous) @ oidc-client.min.js:78
Promise.then (async)
t._callback @ oidc-client.min.js:78
t._message @ oidc-client.min.js:78
postMessage (async)
(anonymous) @ checksession:296
postMessage (async)
(anonymous) @ oidc-client.min.js:78
setInterval (async)
t.start @ oidc-client.min.js:78
(anonymous) @ oidc-client.min.js:78
Promise.then (async)
t._callback @ oidc-client.min.js:78
t._message @ oidc-client.min.js:78
postMessage (async)
(anonymous) @ checksession:296
postMessage (async)
(anonymous) @ oidc-client.min.js:78
setInterval (async)
t.start @ oidc-client.min.js:78
(anonymous) @ oidc-client.min.js:78
Promise.then (async)
t._callback @ oidc-client.min.js:78
t._message @ oidc-client.min.js:78
postMessage (async)
(anonymous) @ checksession:296
postMessage (async)
(anonymous) @ oidc-client.min.js:78
setInterval (async)
t.start @ oidc-client.min.js:78
(anonymous) @ oidc-client.min.js:78
Promise.then (async)
t._callback @ oidc-client.min.js:78
t._message @ oidc-client.min.js:78
postMessage (async)
(anonymous) @ checksession:296
postMessage (async)
(anonymous) @ oidc-client.min.js:78
setInterval (async)
t.start @ oidc-client.min.js:78
(anonymous) @ oidc-client.min.js:78
Promise.then (async)
t._callback @ oidc-client.min.js:78
t._message @ oidc-client.min.js:78
postMessage (async)
(anonymous) @ checksession:296
postMessage (async)
(anonymous) @ oidc-client.min.js:78
setInterval (async)
t.start @ oidc-client.min.js:78
(anonymous) @ oidc-client.min.js:78
Promise.then (async)
t._callback @ oidc-client.min.js:78
t._message @ oidc-client.min.js:78
postMessage (async)
(anonymous) @ checksession:296
postMessage (async)
(anonymous) @ oidc-client.min.js:78
setInterval (async)
t.start @ oidc-client.min.js:78
(anonymous) @ oidc-client.min.js:78
Promise.then (async)
t._callback @ oidc-client.min.js:78
t._message @ oidc-client.min.js:78
postMessage (async)
(anonymous) @ checksession:296
10:25:30.146 (index):403 user signed out
10:25:30.256 oidc-client.min.js:3 user removed from storage
10:25:30.256 (index):381 user unloaded

It looks like corresponding authorize request is gets through but to no avail:

What I did:

checked server-side system logs (STS in particular) and there's nothing suspicious (at least for me);
checked with guys administrating corporate WAF and they tell me everything is OK at their side and also set passive mode (without protectors interference) for our system (didn't solve the issue);
cleared every possible cache location and tested with clear browsers.

Now I don't expect to learn the reason for this behavior right away, but would be very grateful if someone could advice me where to look. For now I'm not even sure what does "Frame window timeout" actually means. Is it what happening when iFrame gets incorrect answer with its authorize request?

Sorry for my English, thanks for any help.

brockallen commented 3 years ago

and silent_renew.html running every 3 seconds.

Why so frequent? Access tokens that short seem like a poor choice.

Usually everything works fine, but when user loads some maps, network gets flooded with .png tiles requests.

Likely because the browser only allows so many outbound HTTP calls at a time.

s3645t14n commented 3 years ago

Why so frequent? Access tokens that short seem like a poor choice.

That was system developer's choice, I'm not really sure why, I'm a very inexpirienced JS-developer myself. I thought that it checks (every 3 sec) if token is expired and renews it if it is, but maybe I'm wrong and it doesn't work like this.

Likely because the browser only allows so many outbound HTTP calls at a time.

Is it possible that due to HTTP call limit iframe gets timeout while pending when there's too many of those png requests? What exactly "Frame window timeout" means in terms of this oidc implementation?

brockallen commented 3 years ago

Is it possible that due to HTTP call limit iframe gets timeout while pending when there's too many of those png requests? What exactly "Frame window timeout" means in terms of this oidc implementation?

Token renewal in the iframe and it's based on the user's SSO cookie at the IdP. The iframe might timeout because it's showing an error page, or it's just too slow because the browser's not making the HTTP request due to the other outbound calls. I don't know which one it is, tho, in your case.

brockallen commented 3 years ago

If it is a timeout because an error page is being displayed, then check the logs in your IdP to see if that helps identify the issue. Report back, please, if you think/find there's a bug in this library.

IdentityModel / oidc-client-js

frame window timeout under heavy network load #1300

Hello,