Frustrating user experience after their session expires

[ghost]

Describe the bug We have a Liberty server that uses the configuration element openidConnectProvider. This gives a login page for the end user. After the end user has logged in, they can work for a certain time T. After this time T, a relogin page appears. When the end user logs in again between time T and T + 7 minutes, all is fine. But when the end user tries to relogin after T + 7 minutes, the browser displays a page consisting of just one line of text: CWOAU0073E: An authentication error occurred. Try closing the web browser and authenticating again, or contact the site administrator if the problem persists.

Steps to Reproduce Open an SSO enabled application. Log in. Wait 12 hours. Reenter your credentials.

Expected behavior The expectation is that, as long as the browser displays a relogin page, the end user can enter their credentials and will then be successfully authenticated, such that the browser window then displays an application page again.

Diagnostic information:

• OpenLiberty Version: 20.0.0.9
• Java Version: IBM Java 1.8.0 sr6 fp15
• server.xml configuration

  <openidConnectProvider
  id="xyz"
  idTokenCacheEnabled="false"
  httpsRequired="true"
  oauthProviderRef="oidcOAuthProvider"
  issuerIdentifier="${external_url_prefix}/oidc/endpoint/xyz"
  keyAliasName="${oidc.jwt.keyAliasName}"
  sessionManaged="true"
  keyStoreRef="jwtKeyStore"
  signatureAlgorithm="RS256"/>

Additional context

[ghost]

The CWOAU0073E error message is the revised one, after issue #9516.

[ghost]

The issue was also documented in a troubleshooting note for an IBM product, see https://www.ibm.com/support/pages/cwoau0073e-error-was-encountered-while-authenticating-user-please-try-authenticating-again-or-contact-site-administrator-if-problem-persists . Apparently they don't have a workaround.

[ayoho]

Hi, @brhaible - thanks for opening an issue. This might be something we can look at enhancing as part of another issue related to the public-facing error servlet: https://github.com/OpenLiberty/open-liberty/issues/14223.

[ghost]

> This might be something we can look at enhancing as part of another issue related to the public-facing error servlet: #14223.

I don't see how customizing the error page can solve this issue. This issue here is about satisfying the user expectation: As long as the browser displays a relogin page, the end user can enter their credentials and will then be successfully authenticated. In other words, this issue is about not going to error page after timeout in the first place.

[ayoho]

@brhaible An option you can consider is adding the authenticationTimeLimit attribute in the <openidConnectClient> element and setting it to some larger value (e.g. authenticationTimeLimit="12h").

The 7 minute timeout is the default value used and controlled by the OIDC client (RP) functionality in Liberty, not the OIDC provider. The Liberty RP sets that value to ensure the login process is done in a timely manner and to limit the amount of time that unique values like state might theoretically be stolen and reused by someone else. Since you're observing this behavior after a 7 minute gap, I'm assuming you have Liberty servers acting as OIDC clients in addition to the Liberty server you mention being configured as an OIDC provider. The authenticationTimeLimit attribute in the <openidConnectClient> element will allow you to set that timeout to any duration you want.

[ayoho]

@brhaible Any luck with the configuration attribute I suggested?