-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session Timeout not working when integrating with oic auth plugin #380
Comments
Those parameters handle jetty session timeout. Can you run the following in console ?
|
HYG |
@zhassanpixel Sorry. Wrong copy/paste on my phone :( The goal is to have the stapler configuration |
Result: 2 but since i installed the plugin it doesn't log me out . |
I faced an issue on it too. After the timeout, people face the HTTP 403 error page, so they need to clean their cookies to be able to log in. I had to downgrade the plugin |
@eva-mueller-coremedia have you forked this plugin ? the plugin id does not match. As for the logout - this is somewhat expected as you where not actually logged in (as the session has expired). Something at least smells not great around session/cookie authorisation/expiration. |
Yes, I forked the plugin since I need to make some changes due to non-standard-conform Cognito logout behaviour 😢 (see #241) |
Although I haven't gotten this to work either, I want to point out that sessionEviction units are seconds according to this article. A fix was made in this area last week. |
👍 Our poicies dictate that we must force users to re-authenticate again after being idle for 15 minutes. We envforce this at our IDP by having it invalidate OIDC refresh tokens if they are not refreshed at least every 15 minutes. With a maximum session time of many hours. What is happening for our users when idle, is that the token becomes invalid and cannot be refreshed. The user sees an error message that the token cannot be refreshed. The user is forced to clear their cookies in order to be redirected again through the OIDC login process. This should be fixed by the plugin accepting time out settings to control its behavior. Or possibly in the case of encountering a token cannot be refreshed error - then go get a new token instead. i.e. forward the user to the login because their session is invalid, for whatever the reason. Either way, idle sessions need to force the user to log in anew. This needs to be cusomizable as different orginazations have different security policies on what is considered idle. |
Jenkins and plugins versions report
Environment
What Operating System are you using (both controller, and any agents involved in the problem)?
Ubuntu 24.04 LTS
Reproduction steps
1- set the JENKINS_OPTS session timeout (JENKINS_OPTS=--sessionTimeout=2 --sessionEviction=4)
2- login and wait 4 minutes it should log you out
3- integrate with oic-auth plugin
Expected Results
it should log you out after 4 minutes
Actual Results
it keeps the session open for almost a day
Anything else?
No response
Are you interested in contributing a fix?
No response
The text was updated successfully, but these errors were encountered: