Make sure a new renku deployment does not log users out #748
Comments
|
Note that the linked Sentry error is most likely due to internal GitLab token sets getting invalidated. This happens in PR deployments after each re-deploy (i.e. each commit) because we overwrite the OAuth2 app settings which invalidates tokens for some reason. |
|
One potential solution could be to have a browser session status endpoint which could be periodically checked by clients to check their login status wrt. the gateway. The gateway would check the cookie session and validate the Keycloak and the GitLab tokens. In case any is invalid, the gateway can then invalidate the browser session and discard it (i.e. send a "Set-Cookie" to clear the browser session) and ask the client to re-log in. |
|
Also relevant: SwissDataScienceCenter/renku-ui#3422 |
This is perhaps related to errors like this:
https://sentry.dev.renku.ch/organizations/sentry/issues/3051/?project=13&project=2&query=is%3Aunresolved&referrer=issue-stream
The gateway does not call keycloak to validate access tokens. So what can happen is that if the tokens issued by keycloak are somehow invalidated (i.e. by a new renku deployment) then the gateway will not be able to tell. Because all the gateway does is just validate the token signature and then parse the JWT. And if the token says it is valid -we believe. But deployments in some cases can invalidate the tokens straight on the keycloak side.
We have a few solutions here:
Debugso they never show up in production logs, but these should be more like warnings and should how upAdditional quality of life improvement is the ability to log all users out by calling an endpoint on the gateway. This can then be used by Renku admins after a Renku deployment. When the endpoint is called then it will clear all active sessions and tokens.
The text was updated successfully, but these errors were encountered: