(too) long timeout on oidc-add when the refresh token is expired

[carmelopellegrino]

Hello,

starting from INDIGO-IAM v.1.8.1, refresh tokens have a default expiration of 2592000 seconds (30 days).

Once the refresh token is expired, oidc-add takes up to 5 minutes+ to give up trying and say that:

Error: invalid_token: Refresh token for value [REFRESH_TOKEN] was not found
Most likely the refresh token expired. To create a new one, just run:
    $ oidc-gen [ACCOUNT] --reauthenticate

I dig down the code to this line where the HTTP code 401 - that is the HTTP code IAM returns when the refresh token is invalid - is not listed, effectively retrying the operation without luck. It could be useful to add a case 401: in the list to immediately break instead of retrying.

[zachmann]

Once the refresh token is expired, oidc-add takes up to 5 minutes+ to give up trying and say that:

Error: invalid_token: Refresh token for value [REFRESH_TOKEN] was not found
Most likely the refresh token expired. To create a new one, just run:
  $ oidc-gen [ACCOUNT] --reauthenticate

Could you please tell me on what kind of system do you use oidc-agent? In particular do you have a GUI and oidc-prompt available?

I dig down the code to this line where the HTTP code 401 - that is the HTTP code IAM returns when the refresh token is invalid - is not listed, effectively retrying the operation without luck. It could be useful to add a case 401: in the list to immediately break instead of retrying.

The code does the opposite, the listed codes are the ones for which the http req is retried (also the retry is limited and will take much less time than 5min).

What's going on is that oidc-agent automatically tries to start the re-authentication. Apparently this does not work (I guess oidc-prompt is not available) and then oidc-agent blocks for 5min. This is behavior is not optimal, but it is what we currently have - this might be improved in oidc-agent 5. If the problem is really the missing oidc-prompt we can detect that and don't start the auto-reauth in that case.

To disable (and confirm that this is the problem) you can start the agent with the --no-autoreauthenticate option. This will disable the auto reauthentication and directly return the error.

[marcvs]

We're currently not pushing oidc-prompt to the linux distributions, because our dependency management is not pure enough. oidc-prompt is available in our own repository at https://repo.data.kit.edu (append /prerel for prereleases)

[carmelopellegrino]

Hello @zachmann,

Could you please tell me on what kind of system do you use oidc-agent? In particular do you have a GUI and oidc-prompt available?

sorry for the rush in opening the issue. I'm using oidc-agent 4.5.1 on CentOS 7.9, installed RPM from the official repository (https://repo.data.kit.edu/). oidc-prompt is installed, but I'm accessing the remote server via ssh with no graphical user interface. Is oidc-prompt supposed to show a gui window?

My workflow is very basic, never had the need for a GUI. Just for information, the part of my workflow concerning oidc-agent can be reduced to just:

eval `oidc-agent-service use`
oidc-add client_name
oidc-token client_name

The code does the opposite, the listed codes are the ones for which the http req is retried (also the retry is limited and will take much less time than 5min).

Yes, sorry. I got confused because I wrongly identified the break statement as acting on the do-while.

To disable (and confirm that this is the problem) you can start the agent with the --no-autoreauthenticate option. This will disable the auto reauthentication and directly return the error.

I'll try this tomorrow (today is holiday in Italy :) )

Carmelo

[marcvs]

Hi @carmelopellegrino ,

the general idea is that the agent runs on your desktop machien (just like ssh-agent). When you login to a remote server you would ideally use agent forwarding.

But, of course, I might not fully understand the requirements of your setup.

Enjoy your holiday!!

[carmelopellegrino]

Good morning,

I've performed some the tests:

1. registered a test client on my desktop PC (ArchLinux, oidc-agent built from sources 4.5.0) and set expiration of the refresh token to 300 seconds (default is 1 month). After 5 minutes, requested a fresh token with oidc-token -f test and got the following error:

   Error: the other party disconnected

   No GUI window showed up, time to exit 33 seconds.

2. registered a test client on the remote machine (the same where I got the 5 minutes delay), configured to forward X11 via ssh (tested with ssh -XY remotehost xeyes, it works). As per the previous case, I've shortened the refresh token expiry to 300 seconds, waited and requested a fresh token with oidc-token -f test. Same error as before, same time to wait (33 seconds) and no GUI window.

Is there anything else I can test?

Cheers, Carmelo

PS: thank you for pointing out the agent forwarding. It's interesting for another use-case I have. For this one, I need to setup a machine that can automatically perform operations completely unattended (it's a cronjob) and for the moment I've set my client on IAM to never expire refresh tokens.

[zachmann]

Error: the other party disconnected

This indicates that oidc-agent crashed - it's certainly something we should fix. Was this with the --no-autoreauthenticate option or without it?

The 33 seconds is nothing I recognize; I would need to investigate this more.

[zachmann]

Is the refresh token lifetime a configuration that can only be set by IAM admins? I cannot see an option to configure this for an existing or new client.

[carmelopellegrino]

Hello,

Is the refresh token lifetime a configuration that can only be set by IAM admins?

I'm an IAM admin, so I have all the permissions. Actually, I also briefly got in contact with the IAM developers and maybe there is a bug in the latest version of IAM (1.8.1) that doesn't update correctly the chosen refresh token expiration.

This indicates that oidc-agent crashed - it's certainly something we should fix. Was this with the --no-autoreauthenticate option or without it?

actually oidc-agent didn't crash and it's still alive, but probably in an unusable state. And yes, I launched oidc-agent --no-autoreauthenticate.

[zachmann]

Hi @carmelopellegrino sorry for the delayed response.

I now had time to look into this again. I created my own iam instance so I can alter the RT lifetime. Unfortunately, I could not reproduce the issue. Without the --no-reauthenticate option, I get the prompt for re-authentication if the RT expired, for both oidc-token and oidc-add. If I start the agent with the --no-reauthenticate option, I get the following error immediately:

Error: invalid_token: Refresh token for value eyJhbGci... was not found
Most likely the refresh token expired. To create a new one, just run:
    $ oidc-gen <shortname> --reauthenticate

This is all expected behavior and I there were no unexpected delays on my machine.