OIDC authentication with SSO kubeflow page getting session timed out

[subasathees]

Validation Checklist

• [X] Is this a Kubeflow issue?
• [X] Are you posting in the right repository ?
• [X] Did you follow the installation guide https://github.com/kubeflow/manifests?tab=readme-ov-file ?
• [X] Is the issue report properly structured and detailed with version numbers?
• [ ] Is this for Kubeflow development ?
• [X] Would you like to work on this issue?
• [ ] You can join the CNCF Slack and access our meetings at the Kubeflow Community website. Our channel on the CNCF Slack is here #kubeflow-platform.

Version

1.8

Describe your issue

Hi All, Facing kubeflow page session expire when it's in ideal for more then 15 min. we want to keep the ideal session more then 1 hour mininum.

• As per SSO server side, The default lifetime for the refresh tokens is 15min and Access token is 8 hours.
• Kubeflow central dashboard and Jupyter web pages are getting session timeout with in 15 min of time, but it will extend another 15 min if we refresh the central dashboard page manually.
• We are running pingid for sso auth.
• Details are given below, where we can change the timeout configuration for OIDC, tried with multiple methods and option those are not successful.

Note: Uses are running notebooks for modal testing which taken more then 1 hour and kubeflow page session should not expire.

Environment Details: Kubeflow Version: v1.8 Kubernetes version: v 1.23.5 Kubeflow setup: followed the kubeflow manifest method. We are running pingid for sso auth.

OIDC POD Error: After 15 min of ideal session.

time="2024-06-18T15:54:42Z" level=error msg="
Failed to refresh token: oidc: get access token: oauth2: cannot fetch token: 400 Bad Request
\nResponse: {\"error_description\":\"unknown, invalid, or **expired refresh token**\",\"error\":\"invalid_grant\"}" context="session authenticator" ip=10.233.109.143 request="/notebook/tai-titer-da-ws/firsttest/api/kernels?1718726082426"
time="2024-06-18T15:54:42Z" level=info msg="**OAuth2 tokens have expired, revoking OIDC session**" context="session authenticator" ip=10.233.109.143 request="/notebook/tai-titer-da-ws/firsttest/api/kernels?1718726082426"
time="2024-06-18T15:54:42Z" level=info msg="Attempting to revoke refresh token..."
time="2024-06-18T15:54:42Z" level=error msg="Failed to refresh token: oidc: get access token: oauth2: cannot fetch token: 400 Bad Request\nResponse: {\"error_description\":\"unknown, invalid, or expired refresh token\",\"error\":\"invalid_grant\"}" context="session authenticator" ip=10.233.109.143 request="/notebook/tai-titer-da-ws/firsttest/api/terminals?1718726082425"
time="2024-06-18T15:54:42Z" level=info msg="OAuth2 tokens have expired, revoking OIDC session" context="session authenticator" ip=10.233.109.143 request="/notebook/tai-titer-da-ws/firsttest/api/terminals?1718726082425"
time="2024-06-18T15:54:42Z" level=info msg="Attempting to revoke refresh token..."

OIDC Provider configuration. File: common/oidc-client/oidc-authservice/base/params.env

OIDC_PROVIDER=https://auth.example.com
OIDC_AUTH_URL=https://auth.example.com/as/authorization.oauth2
OIDC_SCOPES=profile email
REDIRECT_URL=https://kfserver.example.com/login/oidc
AUTHSERVICE_URL_PREFIX=/authservice/
USERID_HEADER=kubeflow-userid
USERID_PREFIX=
USERID_CLAIM=email
GROUPS_CLAIM=
GROUPS_HEADER=
PORT="8080"
STORE_PATH=/var/lib/authservice/data.db
LOG_LEVEL=INFO
SKIP_AUTH_URLS=/as
AFTER_LOGOUT_URL=https://auth.example.com/idp/startSLO.ping
CACHE_ENABLED=true
CACHE_EXPIRATION_MINUTES=1440

Error From Kubeflow page:

Steps to reproduce the issue

1. Install and configure kubeflow v1.8 as per document
2. Configure Any OIDC SSO for UI authentication
3. run a jupyter notebook and wait for 15 min ideal, the session timeout start.

Put here any screenshots or videos (optional)

No response