Timed out CIBA session event

By: Pawel Walus named 31 Mar 2022 at 4:46 a.m. CDT

10 Responses
Pawel Walus gravatar
Hello, I'd like to ask for a possibility of determining if CIBA session is timed out. We are supposed to emit events related to, e.g., timeout, and as for current state, we are unable to catch such a state regarding CIBA. What was checked: for person authentication scripts and oxauth service, no log/message/hook appears when a timeout is expected to happen. Is there any known way of verifying if such a session is expired, or if there is a possibility for opening some channel/hook/.. for it from your side? Thank you in advance for the response on that matter.
Gluu 4.3 Docker 20.1
closed

Answers

By Michael Schwartz Account Admin 31 Mar 2022 at 10:06 a.m. CDT

Copy
Michael Schwartz gravatar
Assigned... we'll look into it.

By Milton Ch. staff 04 Apr 2022 at 11:01 a.m. CDT

Copy
Milton Ch. gravatar
Hi Pawel, if you are talking about timeout for ping and push flows, yes, we are sending those requests to the back channel client notification endpoint, you should have CIBA job running in your env and also see this log during timeout processing. `Authentication request id {} has expired` You should have properties set for CIBA based on docs: https://gluu.org/docs/gluu-server/4.3/admin-guide/ciba/#json-configuration In this context we have these properties: - backchannelRequestsProcessorJobIntervalSec - backchannelRequestsProcessorJobChunkSize

By Pawel Walus named 05 Apr 2022 at 4:59 a.m. CDT

Copy
Pawel Walus gravatar
Hey, thank you for answering. I am aware of backchannel notification endpoint, but my use case is "I need to execute some action on backend side" in case of such event happening - for which backchannel doesn't really help. Would it be possible to handle it for above case?

By Milton Ch. staff 06 Apr 2022 at 7:53 a.m. CDT

Copy
Milton Ch. gravatar
Currently there is no backchannel notification in case session expires, some workaround could be using `exp` claim in order to see expiration date, or also using introspection endpoint to verify whether a given token is still active.

By Pawel Walus named 07 Apr 2022 at 4:21 a.m. CDT

Copy
Pawel Walus gravatar
Thank you for answering.

By Pawel Walus named 19 Apr 2022 at 3:29 a.m. CDT

Copy
Pawel Walus gravatar
Hey, getting back to the topic. I have explored our possibilities about catching the expired ciba session for emitting the timedout event. - the job itself throws an exception while called, as in attached log file. It looks like Resteasy is missing some dependency or configuration to make it work as expected, - the job itself deletes the ciba request after it's expired - that might influence any other scheduled job, leading to missing out events if our job runs after that one. How would that introspection endpoint behave in case of expired/removed ciba request?
ciba_timeout_job.log

By Milton Ch. staff 17 May 2022 at 7:38 a.m. CDT

Copy
Milton Ch. gravatar
Hi Pawel, sorry for the delay, have you been able to get rest call working? I'm suspecting we are missing some lib, but it's weird to me because we ran all certification and we also have other parts where we are processing rest calls like JWKS urls. Would you mind sharing which Gluu version are you using please, so can test on that one directly. About expired sessions, in such case it works as regular tokens, AS will return ACCESS_DENIED with HTTP 401.

By Pawel Walus named 17 May 2022 at 9:11 a.m. CDT

Copy
Pawel Walus gravatar
Hello, thanks for the answer. We have handled the event without the mentioned endpoint - although obviously it would be worth to fix it. As for the date when I was testing it, we were using 4.3.1_04 image. Right now we're on 4.4.0-1, but I haven't tested it with the fresh version, due to above.

By Milton Ch. staff 18 May 2022 at 7:43 a.m. CDT

Copy
Milton Ch. gravatar
Ok, I will setup that version in my local environment and test it accordingly. Thanks!

By Milton Ch. staff 09 Jun 2022 at 11:28 a.m. CDT

Copy
Milton Ch. gravatar
Hi Pawel, I setup a new environment and I was testing this, however I couldn't reproduce it, I was able to get it working with an external service that consumes and produces application/json and everything worked as expected, not sure why in your case it's throwing an error. I also tested different versions, including both versions that you commented, 4.3.1 and 4.4.0, however everything works.

Post an answer