search

element-hq / element-web

A glossy Matrix collaboration client for the web.
https://element.io
GNU Affero General Public License v3.0
11.27k stars 2.01k forks source link

Frequent Log-Outs when using OIDC #27914

Open n0emis opened 3 months ago

n0emis commented 3 months ago

Steps to reproduce

  1. Log in on a homeserver running OIDC with short lived access tokens and refresh tokens
  2. Wait a while (while for example having an unstable internet connection
  3. Get signed out "For security"

Outcome

What did you expect?

Correct handling of unstable connections and retries of token refreshes

What happened instead?

When a token refresh fails, even for other reasons then the refresh token being invalid, the sessions ends

An easy way to reproduce this is blocking POST to https://$mas/oauth2/token, although this is not neccesary: image

It should look like the following: image

Sometimes there are even race-comditions, where the old token gets re-used, even if a correct has just become available. This happened without any modification or request-blocking: image

URL for webapp

app.element.io and more

Application version

Element 1.11.71 and 1.11.73

Homeserver

gwdg.de: Synapse 1.111.0 with MAS 0.9.0 and 0.10.0-rc.0

n0emis commented 3 months ago

The underlying issue here might be, that there is no difference, in how a returned error from the OP is handled in comparison to different failiure modes. A connection error just falls through to the logout: https://github.com/matrix-org/matrix-js-sdk/blob/8c3b249567cbc60060fe34c7380f3f9cf6eb17e9/src/http-api/fetch.ts#L164-L173

BTW: The rust-sdk is handling this correctly: https://github.com/matrix-org/matrix-rust-sdk/blob/main/crates/matrix-sdk/src/client/futures.rs#L150-L154