With OIDC enabled the main page fails after some time of inactivity

[SilviaAmAm]

Reproducing

• Start the docker compose in backend/docker-services/keycloak with docker compose up.
• Add this setting (to for example base.py) OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS = 0.
• Enable OIDC. This can be done by loading the fixture oidc_config_test.json in the backend
• Start the backend and the frontend.
• Go to the OAB login page (http://localhost:3000/login) and login with OIDC.
• Close the OAB tab and after a bit go to http://localhost:3000/ This should cause a crash :thinking:

To do

Frontend

• [ ] Catch the 302 initiated by the backend and redirect the user to the login page

Backend

• [x] Investigate if there is a standard (i.e. not keycloak specific) way of detecting the session timeout of the IdP provider. https://github.com/maykinmedia/open-archiefbeheer/issues/422#issuecomment-2419709693
• [ ] If yes, show some warning if it doesn't match the Django session timeout.

[SilviaAmAm]

This happens because the ID token has expired and this code path is hit: https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/middleware.py#L131

The expiration interval is by default 15 min (https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/mozilla_django_oidc/views.py#L58)

[SilviaAmAm]

What happens is:

1. The landingLoader is called.
2. This makes a call to getStatusMap: https://github.com/maykinmedia/open-archiefbeheer/blob/b03a1de1be635004d32e8ce70a9935f2c6adf2dd/frontend/src/pages/landing/Landing.loader.tsx#L21
3. getStatusMap makes a request to the backend https://github.com/maykinmedia/open-archiefbeheer/blob/b03a1de1be635004d32e8ce70a9935f2c6adf2dd/frontend/src/pages/landing/Landing.loader.tsx#L32
4. The ID token has expired, so the backend returns a 302 to redirect to keycloak.
5. This originates a request to the keycloak domain from the frontend. This is an unexpected Cross Origin request, so the browser (rightfully) blocks it.
6. The frontend does not expect this error. Disaster happens, crash.

[svenvandescheur]

What would be the correct behavior here, should we catch the exception and then redirect somewhere? How do we obtain a new id token?

[SilviaAmAm]

The correct behaviour would be to redirect to the /login page I think, so that the user can log in again :thinking:

Let's discuss it some times this week

[SilviaAmAm]

Investigated the setting OIDC_RENEW_ID_TOKEN_EXPIRY_SECONDS: https://github.com/mozilla/mozilla-django-oidc/blob/2c2334fdc9b2fc72a492b5f0e990b4c30de68363/docs/installation.rst#validate-id-tokens-by-renewing-them This is the setting that causes the token expiry and it defaults to 15 min.

If this and the SESSION_COOKIE_AGE are the same, then we should be okay.