Closed sparkoo closed 2 years ago
openshift-bot
commented
2 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
openshift-bot
commented
2 years ago Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle rotten /remove-lifecycle stale
openshift-bot
commented
2 years ago Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen.
Mark the issue as fresh by commenting /remove-lifecycle rotten.
Exclude this issue from closing again by commenting /lifecycle frozen.
/close
openshift-ci[bot]
commented
2 years ago @openshift-bot: Closing this issue.
jianzhangbjz
commented
2 years ago /reopen /remove-lifecycle rotten
openshift-ci[bot]
commented
2 years ago @jianzhangbjz: Reopened this issue.
jianzhangbjz
commented
2 years ago Hi, I reopen this issue since I met the same problem about the token refresh. Please feel free to close it if we have already addressed this issue, thanks!
jianzhangbjz
commented
2 years ago Only improvement I've achieved is to set the oauth-proxy cookie lifetime to match the openshift token lifetime.
@sparkoo Hi, how long is the OpenShift token lifetime? Or where can I get it? Thanks!
sparkoo
commented
2 years ago Only improvement I've achieved is to set the oauth-proxy cookie lifetime to match the openshift token lifetime.
@sparkoo Hi, how long is the OpenShift token lifetime? Or where can I get it? Thanks!
@jianzhangbjz default openshift token lifetime is 24hrs. You can see and change it with oc edit oauth cluster (https://docs.openshift.com/container-platform/4.10/authentication/configuring-internal-oauth.html#oauth-configuring-internal-oauth_configuring-internal-oauth).
I think it's not possible to refresh the access token, or at least I couldn't find any way how to do it. Only "solution" I've found is to match (or set lower) cookie lifetime with token lifetime.
jianzhangbjz
commented
2 years ago @sparkoo Yeah..., thanks very much!
openshift-bot
commented
2 years ago Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.
If this issue is safe to close now please do so with /close.
/lifecycle stale
jianzhangbjz
commented
2 years ago /remove-lifecycle stale
stlaz
commented
2 years ago The oauth-proxy does not in fact store the token even though there appears to be some code wiring that suggests otherwise. OpenShift does not mint refresh tokens. Hence this cannot be done.
Is there a way how to refresh OpenShift token? Now when OpenShift expires, AFAIU oauth-proxy is still using the old token, which is useless. Only improvement I've achieved is to set the oauth-proxy cookie lifetime to match the openshift token lifetime. This is not ideal as well. In both cases, if OpenShift token expires in the middle of long procedure doing multiple OpenShift API requests, it simply start failing the requests in the middle. It would be better if oauth-proxy could refresh the token in the background. Alternatively, I think it would be an UX improvement when the token expires, invalidate the cookie and redirect to login page. WDYT ?