57515 – Wrong handling of OIDC token refreshing when refresh token is rejected

Bug 57515 - Wrong handling of OIDC token refreshing when refresh token is rejected

Summary: Wrong handling of OIDC token refreshing when refresh token is rejected

Status:	CLOSED FIXED

Alias:	None

Product:	UCS
Classification:	Unclassified
Component:	UMC (Generic)
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P5 normal
Target Milestone:	UCS 5.0-9-errata
Assignee:	Iván.Delgado
QA Contact:	Felix Botner

URL:	https://git.knut.univention.de/univen...
Keywords:

Depends on:
Blocks:

Reported:	2024-08-14 14:18 CEST by Marius Meschter
Modified:	2025-03-21 14:26 CET (History)
CC List:	5 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?:	1: Will affect a very few installed domains
How will those affected feel about the bug?:	5: Blocking further progress on the daily work
User Pain:	0.143
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Customer ID:
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marius Meschter

2024-08-14 14:18:17 CEST

If the session is deleted at the OP (e.g. manually deleting a session in the Keycloak Admin UI, not via logout) the session is not deleted at the UMC, which is fine. However we do attempt to refresh the access token on every request to the UMC. 

This is generally not an issue since it probably doesn't happen that often, it is however annoying during debugging because UMC thinks the session is still active but fails to refresh the access tokens leading to not being able to login.

IMO the solution here would be to log the user out and delete the session if the OIDC token refresh fails.

Comment 2 Jürn Brodersen

2024-08-23 11:28:46 CEST

I increased the user pain, because keycloak marks a session as inactive after half an hour of inactivity (can be configured in the realm settings). The refresh token is not accepted for an inactive session, and you get this bug.
At that point, the umc is unusable for the user, you only get the login error.

Workarounds:
- Delete the session cookie
- or Wait for the session cookie to expire
- or Restart the umc

imho none of these are obvious to the average user or a nice user experience.

Comment 3 Jürn Brodersen

2024-08-23 11:54:12 CEST

Relevant error messages:

- Keycloak (inactive session)
2024-08-22 15:49:17,174 WARN  [org.keycloak.events] (executor-thread-10) type="REFRESH_TOKEN_ERROR", realmId="ucs", realmName="ucs", clientId="https://master.ucs.test/univention/oidc/", userId="null", sessionId="ba2023f4-df82-4bd5-9409-a8fbb918ba10", ipAddress="10.207.175.82", error="invalid_token", reason="Session not active", grant_type="refresh_token", refresh_token_type="Refresh", refresh_token_id="c920229b-d5ec-42ad-9fa8-97475a746ed9", client_auth_method="client-secret"

- Keycloak (deleted session)
2024-08-22 14:45:30,661 WARN  [org.keycloak.events] (executor-thread-1) type="REFRESH_TOKEN_ERROR", realmId="ucs", realmName="ucs", clientId="https://master.ucs.test/univention/oidc/", userId="null", ipAddress="10.207.175.82", error="invalid_token", reason="Token is not active", grant_type="refresh_token", client_auth_method="client-secret"

- UMC (inactive keycloak session)
22.08.24 15:49:16.974  MAIN        ( ERROR   ) : Could not get new access token: b'{"error":"invalid_grant","error_description":"Session not active"}'

- UMC (deleted keycloak session)
management-console-server.log:22.08.24 14:52:18.496  MAIN        ( ERROR   ) : Could not get new access token: b'{"error":"invalid_grant","error_description":"Token is not active"}'

Comment 4 Iván.Delgado

2024-09-26 12:10:34 CEST

The issue was solved performing a logout when the refresh token failed, that delete the umc session and clean the state.

univention-management-console.yaml
cafe315f9b0c | Bug #57515: univention-management-console advisory

univention-management-console (12.0.35-1)
864567b115e5 | fix(oidc): Logout when session refresh fail due to OP session deleted manually

univention-ldap (15.0.0-39)
c70f99e8ff52 | Bug #46120 ldap: Removed unused files

ucs-test (10.0.23-3)
7aaf0dd99379 | fixup! test(oidc): test session logout with invalid access token

ucs-test (10.0.23-2)
c86fb34cae4d | docs(ucs-test): Explain how to run specific Playwright test
28e95f6d60b6 | test(oidc): test session logout with invalid access token


Package: univention-management-console
Version: 12.0.35-1
Branch: 5.0-0
Scope: errata5.0-9

Successful build
Package: ucs-test
Version: 10.0.23-3
Branch: 5.0-0
Scope: errata5.0-9

Comment 5 Felix Botner

2024-09-30 09:44:50 CEST

OK - univention-management-console.yaml (12.0.35-2)

Comment 6 Iván.Delgado

2024-09-30 12:04:05 CEST

--------------5.1------------------
univention-management-console (13.0.24)
6e7f2e12a12b | fix(oidc): Logout when session refresh fail due to OP session deleted manually

ucs-test (11.0.56)
a2e6fe0ccd6a | test(oidc): test session logout with invalid access token

Successful build
Package: univention-management-console
Version: 13.0.24
Branch: 5.1-0

Successful build
Package: ucs-test
Version: 11.0.56
Branch: 5.1-0

--------------5.2------------------

univention-management-console (14.0.33)
5250b7edc1a9 | fix(oidc): Logout when session refresh fail due to OP session deleted manually

ucs-test (12.0.180)
a6f4c0378f2d | test(oidc): test session logout with invalid access token


Successful build
Package: univention-management-console
Version: 14.0.33
Branch: 5.2-0

Successful build
Package: ucs-test
Version: 12.0.180
Branch: 5.2-0

Comment 7 Iván.Delgado

2024-10-07 14:53:20 CEST

<https://errata.software-univention.de/#/?erratum=5.0x1131>