Uploaded image for project: 'Red Hat Internal Developer Platform'
  1. Red Hat Internal Developer Platform
  2. RHIDP-4695

OIDC refresh token behavior

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Major Major
    • 1.4.1
    • 1.3.3, 1.4.0
    • Documentation
    • [Doc] OIDC refresh token behaviour
    • 3
    • False
    • Hide

      None

      Show
      None
    • False
    • To Do
    • RHIDP-4691 - Follow up Actions: RHDH 1.2.3 Weakness: OIDC refresh_token unusual authentication flow
    • QE Needed, Docs Needed, TE Needed, Customer Facing, PX Needed
    • Hide
      When using {rhsso-brand-name} or {rhbk-brand-name} as an OIDC provider, the default access token lifespan is set to 5 minutes, which corresponds to the token refresh grace period set in {product-short}. This 5-minute grace period is the threshold used to trigger a new refresh token call. Since the token is always near expiration, frequent refresh token requests will cause performance issues.

      This issue will be resolved in the 1.5 release. To prevent the performance issues, increase the lifespan in the {rhsso-brand-name} or {rhbk-brand-name} server by setting *Configure > Realm Settings > Access Token Lifespan* to a value greater than five minutes (preferably 10 or 15 minutes).
      Show
      When using {rhsso-brand-name} or {rhbk-brand-name} as an OIDC provider, the default access token lifespan is set to 5 minutes, which corresponds to the token refresh grace period set in {product-short}. This 5-minute grace period is the threshold used to trigger a new refresh token call. Since the token is always near expiration, frequent refresh token requests will cause performance issues. This issue will be resolved in the 1.5 release. To prevent the performance issues, increase the lifespan in the {rhsso-brand-name} or {rhbk-brand-name} server by setting *Configure > Realm Settings > Access Token Lifespan* to a value greater than five minutes (preferably 10 or 15 minutes).
    • Known Issue
    • Done

      EPIC Goal

      What are we trying to solve here?

      Background/Feature Origin

      Backstage has an unusual way of handling token refresh.  It will refresh the OIDC access token or Backstage token if either one of them is within 5mins of being refreshed.  

      Why is this important?

      This behaviour is not obvious to consumers and needs to be documented because it may have security and performance considerations

      User Scenarios

      Described in dependent issues:

      https://issues.redhat.com/browse/RHIDP-4692

      https://issues.redhat.com/browse/RHIDP-4694

      Dependencies (internal and external)

      See above

      Acceptance Criteria

      Release Enablement/Demo - Provide necessary release enablement details
      and documents

      DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
      Issue>

      DEV - Upstream documentation merged: <link to meaningful PR or GitHub
      Issue>

      DEV - Downstream build attached to advisory: <link to errata>

      QE - Test plans in Playwright: <link or reference to playwright>

      QE - Automated tests merged: <link or reference to automated tests>

      DOC - Downstream documentation merged: <link to meaningful PR>

              rh-ee-jhe Jessica He
              ktsao@redhat.com Kim Tsao
              RHIDP - Documentation
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: