Closed sparkoo closed 2 years ago
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
Stale issues rot after 30d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Rotten issues close after an additional 30d of inactivity.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle rotten /remove-lifecycle stale
Rotten issues close after 30d of inactivity.
Reopen the issue by commenting /reopen
.
Mark the issue as fresh by commenting /remove-lifecycle rotten
.
Exclude this issue from closing again by commenting /lifecycle frozen
.
/close
@openshift-bot: Closing this issue.
/reopen /remove-lifecycle rotten
@jianzhangbjz: Reopened this issue.
Hi, I reopen this issue since I met the same problem about the token refresh. Please feel free to close it if we have already addressed this issue, thanks!
Only improvement I've achieved is to set the oauth-proxy cookie lifetime to match the openshift token lifetime.
@sparkoo Hi, how long is the OpenShift token lifetime? Or where can I get it? Thanks!
Only improvement I've achieved is to set the oauth-proxy cookie lifetime to match the openshift token lifetime.
@sparkoo Hi, how long is the OpenShift token lifetime? Or where can I get it? Thanks!
@jianzhangbjz default openshift token lifetime is 24hrs. You can see and change it with oc edit oauth cluster
(https://docs.openshift.com/container-platform/4.10/authentication/configuring-internal-oauth.html#oauth-configuring-internal-oauth_configuring-internal-oauth).
I think it's not possible to refresh the access token, or at least I couldn't find any way how to do it. Only "solution" I've found is to match (or set lower) cookie lifetime with token lifetime.
@sparkoo Yeah..., thanks very much!
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
/remove-lifecycle stale
The oauth-proxy does not in fact store the token even though there appears to be some code wiring that suggests otherwise. OpenShift does not mint refresh tokens. Hence this cannot be done.
Is there a way how to refresh OpenShift token? Now when OpenShift expires, AFAIU oauth-proxy is still using the old token, which is useless. Only improvement I've achieved is to set the oauth-proxy cookie lifetime to match the openshift token lifetime. This is not ideal as well. In both cases, if OpenShift token expires in the middle of long procedure doing multiple OpenShift API requests, it simply start failing the requests in the middle. It would be better if oauth-proxy could refresh the token in the background. Alternatively, I think it would be an UX improvement when the token expires, invalidate the cookie and redirect to login page. WDYT ?