Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-60425

kube:admin user is immediately logged back in after token expiration

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • 4.15.z, 4.17.z, 4.16.z, 4.18.z, 4.19.z, 4.20.0
    • Management Console
    • None
    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None
    • None

      Description of problem:

      There is an issue with the session handling for the special kube:admin user. 
      
      When the session's access token expires (as defined by accessTokenMaxAgeSeconds in the OAuth configuration), the console receives a 401 Unauthorized error. This 401 error incorrectly triggers the standard logout flow instead of the specific flow required for kube:admin.
      
      As noted in the console's own source code, the kube:admin user requires a special logout process (logoutKubeAdmin function) to clear a session cookie on the OAuth server. 
      
      Because this special process is not being called upon token expiry, the OAuth server immediately re-issues a token, logging the user back in without any user interaction. This prevents the session from properly terminating.    

      Version-Release number of selected component (if applicable):

      4.20, 4.19.z, 4.18.z, 4.17.z, 4.16.z, 4.15.z

      How reproducible:

      Always

      Steps to Reproduce:

      1. Log in to the web console as the kube:admin user.
      
      2. Set the accessTokenMaxAgeSeconds. You can do with this command: 
      
      oc patch oauth cluster --type='merge' -p='{"spec":{"tokenConfig":{"accessTokenMaxAgeSeconds":10}}}'
      
      3. Wait for the session's access token to expire based on the accessTokenMaxAgeSeconds duration.
      
      4. After the token has expired, perform any action in the console that requires an API call (e.g., navigating to a new page or refreshing data).
      
      5.Observe the application's behavior.     

      Actual results:

      The 401 error triggers a standard logout, but the user is immediately and automatically logged back into the console. The page will reload, but the session is seamlessly re-established without prompting for credentials.    

      Expected results:

      When the kube:admin token expires and a 401 error is received, the user should be fully logged out and redirected to the login page. They should be required to re-authenticate to start a new session.

      Additional info:

      Root Cause AnalysisThe problem lies in the global error handling logic for API requests.
      
      When an API request fails with a 401 Unauthorized status after the token has expired, the logic:
      
      console/frontend/public/co-fetch.ts:56-58
      
      if (response.status === 401 && shouldLogout(url)) {
        authSvc.logout(next);
      }
      
      
      This code invokes the standard authSvc.logout() function. However, the kube:admin user requires a special logout handler, logoutKubeAdmin(), to function correctly, as documented in console/frontend/public/module/auth.js:99-102, function logoutKubeAdmin
      
      The current implementation bypasses this required logoutKubeAdmin function, failing to clear the necessary server-side session cookie and causing the immediate re-authentication loop. The error handler needs to be updated to check if the current user is kube:admin and call the appropriate logout function. Should be an easy fix.

              Unassigned Unassigned
              rh-ee-leoli Leo Li
              None
              None
              YaDan Pei YaDan Pei
              None
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated: