Web Idle timeout of 30s or less ends up in a redirect loop

[pschisa]

Expected behavior: When web_idle_timeout is set to 30s or less, web applications will continue to work as expected.

Current behavior: When web_idle_timeout is set to 30s or less, web applications fail and continuously redirect to the Teleport login page.

Initial internal investigation seems to point at the following code as the culprit:

function startActivityChecker(ttl = 0) {
  // adjustedTtl slightly improves accuracy of inactivity time.
  // This will at most cause user to log out ACTIVITY_CHECKER_INTERVAL_MS early.
  // NOTE: Because of browser js throttling on inactive tabs, expiry timeout may
  // still be extended up to over a minute.
  const adjustedTtl = ttl - ACTIVITY_CHECKER_INTERVAL_MS;

const ACTIVITY_CHECKER_INTERVAL_MS = 30 * 1000;

https://github.com/gravitational/teleport/blob/2fdc3c2e3ba00d4a8cda7b1dee7b32afd784a9bf/web/packages/teleport/src/components/Authenticated/Authenticated.tsx#L69-L74

Bug details:

• Teleport version teleport version 13.3.7 on the cluster, teleport version 13.3.4 on the agent
• Recreation steps set web_idle_timeout to 30s or less and attempt to access the application
• Debug logs from the proxy/auth service, no logs appear on the app agent during a failure

  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: 2023-09-22T20:28:26Z WARN             GitHub connector field teams_to_logins is deprecated and will be removed in the next version. Please use teams_to_roles instead. types/github.go:184
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: 2023-09-22T20:28:26Z WARN [WEB]       Request failed: bad bearer token. error:[
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: ERROR REPORT:
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: Original Error: *trace.NotFoundError "/web/tokens/undefined" is not found
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: Stack Trace:
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/api@v0.0.0/client/sessions.go:104 github.com/gravitational/teleport/api/client.(*webTokens).Get
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/api@v0.0.0/client/sessions.go:92 github.com/gravitational/teleport/api/client.(*Client).GetWebToken
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/lib/web/sessions.go:1040 github.com/gravitational/teleport/lib/web.(*sessionCache).readBearerToken
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/lib/web/sessions.go:191 github.com/gravitational/teleport/lib/web.(*SessionContext).validateBearerToken
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/lib/web/apiserver.go:3802 github.com/gravitational/teleport/lib/web.(*Handler).AuthenticateRequest
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/lib/web/apiserver.go:3723 github.com/gravitational/teleport/lib/web.(*Handler).WithAuth.func1
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/lib/httplib/httplib.go:117 github.com/gravitational/teleport/lib/httplib.MakeHandlerWithErrorWriter.func1
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/julienschmidt/httprouter@v1.3.0/router.go:399 github.com/julienschmidt/httprouter.(*Router).ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: net/http/server.go:2165 net/http.StripPrefix.func1
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: net/http/server.go:2122 net/http.HandlerFunc.ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/lib/web/apiserver.go:430 github.com/gravitational/teleport/lib/web.NewHandler.func1
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: net/http/server.go:2122 net/http.HandlerFunc.ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/julienschmidt/httprouter@v1.3.0/router.go:460 github.com/julienschmidt/httprouter.(*Router).ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/lib/web/apiserver.go:302 github.com/gravitational/teleport/lib/web.(*APIHandler).ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/oxy@v0.0.0-20221029012416-9fbf4c444680/ratelimit/tokenlimiter.go:118 github.com/gravitational/oxy/ratelimit.(*TokenLimiter).ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/oxy@v0.0.0-20221029012416-9fbf4c444680/connlimit/connlimit.go:75 github.com/gravitational/oxy/connlimit.(*ConnLimiter).ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: github.com/gravitational/teleport/lib/httplib/httplib.go:94 github.com/gravitational/teleport/lib/httplib.MakeTracingHandler.func1
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: net/http/server.go:2122 net/http.HandlerFunc.ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp@v0.40.0/handler.go:213 go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp.(*Handler).ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: net/http/server.go:2936 net/http.serverHandler.ServeHTTP
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: net/http/server.go:1995 net/http.(*conn).serve
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: runtime/asm_amd64.s:1598 runtime.goexit
  Sep 22 20:28:26 Test-Cluster-Node1-US-East teleport[19328]: User Message: "/web/tokens/undefined" is not found] request:DELETE /webapi/sessions/web web/apiserver.go:3803

[GavinFrazar]

we should check if this can be reproduced on v11 as well

[pschisa]

Also noted during this investigation that when accessing the application directly via the application public URL, the web_idle_timeout doesnt seem to apply at all (as compared to launching the app through the Teleport Web UI). Video when the web_idle_timeout is set to 60s

https://github.com/gravitational/teleport/assets/75806143/09deb413-3e0e-42cd-a2c7-b94bf5086dde

Happy to file a separate issue if helpful

[kimlisa]

another issue:

if a user has a web UI opened in another tab, and application in another tab, the web UI timer will continue, and while the user may be active on an application, the web UI is inactive and will log the user out, which deletes both web and app sessions (kicking user out of the application as well)

[ravicious]

I could reproduce the issue on 15.3.5. FWIW, it does require clicking "Connect" next to an app in the Web UI. Initially I thought it's enough to just leave the Web UI running.

---

The other two reported problems have the same root cause and they seem mutually exclusive.

In the problem reported by Lisa, the user opens a cluster at example.com and an app at app.example.com and leaves both tabs running. Eventually, the Web UI running in the example.com tab considers the session invalid and logs out the user. This essentially invalidates the session on app.example.com as well, but the user probably won't notice that until they perform some action. I assume that in this scenario, the customer would want to keep the user logged in to app.example.com even after they get kicked out of the Web UI due to inactivity.

In the problem reported by Paul, the user opens an app proxied through Teleport, but accessed over public_addr. Even if a tab with Web UI is open next to it, inactivity in the Web UI tab will not remove cookies from the custom public_addr domain. I haven't been able to test it, but it should at least destroy the session in the Teleport proxy. So on the next reload or a request, I guess the user should also notice that the session is gone? But as I understand, in this scenario the customer would want somehow to the idle timeout apply to app access even if the Web UI is not running.