search

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.
http://wso2.github.io/
Apache License 2.0
748 stars 729 forks source link

Sudden session timeout from console #19466

Closed Thisara-Welmilla closed 9 months ago

Thisara-Welmilla commented 9 months ago

Getting session timeout in latest build (not reproducible in IS-7.0-beta7 pack). Following error log can be observed.

[2024-02-09 13:33:33,279] [7e3a4be3-1c22-4316-87b0-fbaa6c635fe2] ERROR {org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler} - Error while revoking the tokens on session termination. org.apache.oltu.oauth2.common.exception.OAuthSystemException: Failed to retrieve token binding value.
    at org.wso2.carbon.identity.oauth2.token.bindings.impl.CookieBasedTokenBinder.getTokenBindingValue(CookieBasedTokenBinder.java:97)
    at org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler.getBindingRefFromType(TokenBindingExpiryEventHandler.java:240)
    at org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler.revokeTokensForBindingType(TokenBindingExpiryEventHandler.java:205)
    at org.wso2.carbon.identity.oauth2.token.bindings.handlers.TokenBindingExpiryEventHandler.handleEvent(TokenBindingExpiryEventHandler.java:101)
    at org.wso2.carbon.identity.event.services.IdentityEventServiceImpl.handleEvent(IdentityEventServiceImpl.java:56)
    at org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils.triggerSessionExpireEvent(FrameworkUtils.java:1349)
    at org.wso2.carbon.identity.application.authentication.framework.util.FrameworkUtils.getSessionContextFromCache(FrameworkUtils.java:1263)
    at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.findPreviousAuthenticatedSession(DefaultRequestCoordinator.java:886)
    at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.initializeFlow(DefaultRequestCoordinator.java:742)
    at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:220)
    at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doPost(CommonAuthenticationHandler.java:57)
    at org.wso2.carbon.identity.application.authentication.framework.CommonAuthenticationHandler.doGet(CommonAuthenticationHandler.java:46)
    at org.wso2.carbon.identity.oidc.session.servlet.OIDCLogoutServlet.sendRequestToFramework(OIDCLogoutServlet.java:875)
    at org.wso2.carbon.identity.oidc.session.servlet.OIDCLogoutServlet.sendToFrameworkForLogout(OIDCLogoutServlet.java:739)
    at org.wso2.carbon.identity.oidc.session.servlet.OIDCLogoutServlet.doGet(OIDCLogoutServlet.java:276)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:529)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
    at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
    at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
    at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:623)
    at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:209)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:51)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:178)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:153)
    at org.apache.catalina.core.ApplicationDispatcher.invoke(ApplicationDispatcher.java:661)
    at org.apache.catalina.core.ApplicationDispatcher.processRequest(ApplicationDispatcher.java:425)
    at org.apache.catalina.core.ApplicationDispatcher.doForward(ApplicationDispatcher.java:357)
    at org.apache.catalina.core.ApplicationDispatcher.forward(ApplicationDispatcher.java:294)
    at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:155)
    at org.wso2.carbon.identity.context.rewrite.valve.OrganizationContextRewriteValve.invoke(OrganizationContextRewriteValve.java:123)
    at org.wso2.carbon.tomcat.ext.valves.SameSiteCookieValve.invoke(SameSiteCookieValve.java:38)
    at org.wso2.carbon.identity.cors.valve.CORSValve.invoke(CORSValve.java:83)
    at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:211)
    at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:120)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:110)
    at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:49)
    at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:71)
    at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:152)
    at org.wso2.carbon.extension.identity.x509Certificate.valve.X509CertificateAuthenticationValve.invoke(X509CertificateAuthenticationValve.java:59)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:670)
    at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:63)
    at org.wso2.carbon.tomcat.ext.valves.RequestEncodingValve.invoke(RequestEncodingValve.java:49)
    at org.wso2.carbon.tomcat.ext.valves.RequestCorrelationIdValve.invoke(RequestCorrelationIdValve.java:137)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:390)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:63)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:928)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1794)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:52)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
    at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.base/java.lang.Thread.run(Thread.java:829)
DMHP commented 9 months ago

I tried several times, but I was not able to reproduce this. The posted error is no not useful to analyze the scenario as it has been printed after triggering the OIDC logout. Need to find out how the logout was triggered. I will test the behavior for a few days and monitor.

DMHP commented 9 months ago

Closing the issue as I could not reproduce this in the latest pack.

Thisara-Welmilla commented 9 months ago

Steps to reproduce:

  1. Create a user and assign a role or to a group (which gives console access)
  2. login with that user to the console.
  3. remove the user's access from that role or group
  4. It will cause to revoke the token. Then click the signin button.