By: Pawel Walus named 31 Mar 2022 at 4:46 a.m. CDT

6 Responses
Pawel Walus gravatar
Hello, I'd like to ask for a possibility of determining if CIBA session is timed out. We are supposed to emit events related to, e.g., timeout, and as for current state, we are unable to catch such a state regarding CIBA. What was checked: for person authentication scripts and oxauth service, no log/message/hook appears when a timeout is expected to happen. Is there any known way of verifying if such a session is expired, or if there is a possibility for opening some channel/hook/.. for it from your side? Thank you in advance for the response on that matter.

By Michael Schwartz Account Admin 31 Mar 2022 at 10:06 a.m. CDT

Michael Schwartz gravatar
Assigned... we'll look into it.

By Milton Ch. staff 04 Apr 2022 at 11:01 a.m. CDT

Milton Ch. gravatar
Hi Pawel, if you are talking about timeout for ping and push flows, yes, we are sending those requests to the back channel client notification endpoint, you should have CIBA job running in your env and also see this log during timeout processing. `Authentication request id {} has expired` You should have properties set for CIBA based on docs: https://gluu.org/docs/gluu-server/4.3/admin-guide/ciba/#json-configuration In this context we have these properties: - backchannelRequestsProcessorJobIntervalSec - backchannelRequestsProcessorJobChunkSize

By Pawel Walus named 05 Apr 2022 at 4:59 a.m. CDT

Pawel Walus gravatar
Hey, thank you for answering. I am aware of backchannel notification endpoint, but my use case is "I need to execute some action on backend side" in case of such event happening - for which backchannel doesn't really help. Would it be possible to handle it for above case?

By Milton Ch. staff 06 Apr 2022 at 7:53 a.m. CDT

Milton Ch. gravatar
Currently there is no backchannel notification in case session expires, some workaround could be using `exp` claim in order to see expiration date, or also using introspection endpoint to verify whether a given token is still active.

By Pawel Walus named 07 Apr 2022 at 4:21 a.m. CDT

Pawel Walus gravatar
Thank you for answering.

By Pawel Walus named 19 Apr 2022 at 3:29 a.m. CDT

Pawel Walus gravatar
Hey, getting back to the topic. I have explored our possibilities about catching the expired ciba session for emitting the timedout event. - the job itself throws an exception while called, as in attached log file. It looks like Resteasy is missing some dependency or configuration to make it work as expected, - the job itself deletes the ciba request after it's expired - that might influence any other scheduled job, leading to missing out events if our job runs after that one. How would that introspection endpoint behave in case of expired/removed ciba request?