Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

JWT expired earlier than reported (K8s with gitlab as oidc provider) #22130

Closed
danleepw opened this issue Apr 5, 2023 · 4 comments
Closed

JWT expired earlier than reported (K8s with gitlab as oidc provider) #22130

danleepw opened this issue Apr 5, 2023 · 4 comments
Labels
area/factory/server Server side of factory implementation kind/bug Outline of a bug - must adhere to the bug report template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P1 Has a major impact to usage or development of the system. sprint/next team/A This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che

Comments

@danleepw
Copy link

danleepw commented Apr 5, 2023
edited
Loading

Describe the bug

I could successfully login the che dashboard by using gitlab as oidc provider.

According to the log from oauth-proxy, the JWT was created at 2023-04-05 12:28:48.823669111 and expired at 2023-04-05 14:28:48.714427673.

////// log from oauth-proxy
10.42.0.5:52740 - 887ff7d643ea91c27a7c1125012b5bcf - [email protected] [2023/04/05 12:28:48] [AuthSuccess] Authenticated via OAuth2: Session{email:[email protected] user:2 PreferredUsername:foo.bar token:true id_token:true created:2023-04-05 12:28:48.823669111 +0000 UTC m=+83251.912780044 expires:2023-04-05 14:28:48.714427673 +0000 UTC m=+90451.803536215 refresh_token:true groups:[xxx.yyy]}

However, che-server said the JWT expired at 2023-04-05T12:30:48Z.

////// log from oauth-proxy
POST / "/api/kubernetes/namespace/provision" HTTP/1.1 "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.0.0 Safari/537.36" 500 2014 0.042

////// log from che-server
2023-04-05 12:31:00,117[nio-8080-exec-9] [ERROR] [o.a.c.c.C.[.[.[/api].[default] 175] - Servlet.service() for servlet [default] in context with path [/api] threw exception
io.jsonwebtoken.ExpiredJwtException: JWT expired at 2023-04-05T12:30:48Z. Current time: 2023-04-05T12:31:00Z, a difference of 9116 milliseconds. Allowed clock skew: 3000 milliseconds.
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:448)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:550)
at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:610)
at io.jsonwebtoken.impl.ImmutableJwtParser.parseClaimsJws(ImmutableJwtParser.java:173)
at org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.processToken(OidcTokenInitializationFilter.java:80)
at org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:127)
at org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:769)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:872)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1705)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)

Che version

7.63@latest

Steps to reproduce

  1. open the link of che dashboard
  2. redirect to gitlab login page, enter username and password
  3. redirect to che dashboard
  4. 2 minutes later, che dashboard reports "Backend in not available. Try to refresh the page or re-login to the Dashboard."

Expected behavior

che dashboard should be working within the JWT valid period

Runtime

Kubernetes (vanilla)

Screenshots

No response

Installation method

chectl/latest

Environment

Linux

Eclipse Che Logs

2023-04-05 12:31:00,117[nio-8080-exec-9] [ERROR] [o.a.c.c.C.[.[.[/api].[default] 175] - Servlet.service() for servlet [default] in context with path [/api] threw exception
io.jsonwebtoken.ExpiredJwtException: JWT expired at 2023-04-05T12:30:48Z. Current time: 2023-04-05T12:31:00Z, a difference of 9116 milliseconds. Allowed clock skew: 3000 milliseconds.
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:448)
at io.jsonwebtoken.impl.DefaultJwtParser.parse(DefaultJwtParser.java:550)
at io.jsonwebtoken.impl.DefaultJwtParser.parseClaimsJws(DefaultJwtParser.java:610)
at io.jsonwebtoken.impl.ImmutableJwtParser.parseClaimsJws(ImmutableJwtParser.java:173)
at org.eclipse.che.multiuser.oidc.filter.OidcTokenInitializationFilter.processToken(OidcTokenInitializationFilter.java:80)
at org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:127)
at org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:185)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:158)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:119)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:769)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:690)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:353)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:872)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1705)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.base/java.lang.Thread.run(Thread.java:829)

Additional context

image

No response
@danleepw danleepw added the kind/bug Outline of a bug - must adhere to the bug report template. label Apr 5, 2023
@che-bot che-bot added the status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. label Apr 5, 2023
@dmytro-ndp dmytro-ndp added severity/P1 Has a major impact to usage or development of the system. area/factory/dashboard Issues related to factories frontend (che user dashboard side) team/A This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che area/factory/server Server side of factory implementation and removed status/need-triage An issue that needs to be prioritized by the curator responsible for the triage. See https://github. area/factory/dashboard Issues related to factories frontend (che user dashboard side) labels Apr 5, 2023
@che-bot
Copy link
Contributor

che-bot commented Oct 11, 2023

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.

@che-bot che-bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Oct 11, 2023
@che-bot che-bot closed this as completed Oct 18, 2023
@pppaapp
Copy link

pppaapp commented Jan 16, 2024

I have the same problem

Is there a solution?

This was referenced Feb 16, 2024
Open
Closed
@huonguyenlt
Copy link

@danleepw Hi, could you please share me how you set up the gitlab oidc? I am trying to do it , but cannot make it work.

@huonguyenlt
Copy link

error when I login to gitlab #23104
image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/factory/server Server side of factory implementation kind/bug Outline of a bug - must adhere to the bug report template. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. severity/P1 Has a major impact to usage or development of the system. sprint/next team/A This team is responsible for the Che Operator and all its operands as well as chectl and Hosted Che
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@dmytro-ndp @ibuziuk @vinokurig @danleepw @pppaapp @che-bot @huonguyenlt