search

istio-ecosystem / authservice

Move OIDC token acquisition out of your app code and into the Istio mesh
Apache License 2.0
220 stars 62 forks source link

Failed to login, get "Oops, your session has expired. Please try again." #240

Open zhaohuabing opened 11 months ago

zhaohuabing commented 11 months ago

Sometimes failed to log in the first time, but succeeded after a refresh.

user navigates to url -> redirected to OIDC provider -> login -> redirected back to original service -> user sees "Oops, your session has expired. Please try again."

in the browser -> user can refresh the page which fixes the issue and user is signed in

log from this event:

[2023-12-01 14:15:09.391] [console] [debug] Check: processing request https://c2d2.apps.dso.mil/oauth/callback?state=8MwlraGKWEWxtmJ96MGV2qHklvyQ2z8Bq1CyKNJsSvg&session_state=d178b39a-b273-4ba7-9b86-f6a39667417b&code=2919b5af-6846-4263-a579-75059a4ababe.d178b39a-b273-4ba7-9b86-f6a39667417b.c283dc72-0623-4fd3-b364-637c38d22f61 with filter chain c2d2
[2023-12-01 14:15:09.391] [console] [trace] New
[2023-12-01 14:15:09.391] [console] [trace] OidcFilter
[2023-12-01 14:15:09.391] [console] [trace] Process
[2023-12-01 14:15:09.391] [console] [debug] Call from @10.42.16.0 to dso.mil@10.42.11.10
[2023-12-01 14:15:09.391] [console] [trace] MatchesCallbackRequest: checking handler for https://c2d2.apps.dso.mil/oauth/callback?state=8MwlraGKWEWxtmJ96MGV2qHklvyQ2z8Bq1CyKNJsSvg&session_state=d178b39a-b273-4ba7-9b86-f6a39667417b&code=2919b5af-6846-4263-a579-75059a4ababe.d178b39a-b273-4ba7-9b86-f6a39667417b.c283dc72-0623-4fd3-b364-637c38d22f61
[2023-12-01 14:15:09.391] [console] [trace] MatchesCallbackRequest: matches_callback: true 
[2023-12-01 14:15:09.391] [console] [trace] RetrieveToken
[2023-12-01 14:15:09.391] [console] [trace] DecodeQueryData decode query: state=8MwlraGKWEWxtmJ96MGV2qHklvyQ2z8Bq1CyKNJsSvg&session_state=d178b39a-b273-4ba7-9b86-f6a39667417b&code=2919b5af-6846-4263-a579-75059a4ababe.d178b39a-b273-4ba7-9b86-f6a39667417b.c283dc72-0623-4fd3-b364-637c38d22f61
[2023-12-01 14:15:09.392] [console] [info] RetrieveToken: Missing state, nonce, and original url requested by the user. Cannot redirect.
zhaohuabing commented 11 months ago

I suspect it's caused by the sync lag between the redis master and redis slaves. A few retries would solve this.

lsjostro commented 9 months ago

@zhaohuabing you might want to have a look at an alternative implementation which is server side stateless, which means it can scale with the amount of replicas without a need for redis/db as a session store. https://github.com/shelmangroup/envoy-oidc-authserver