Differences between security-dashboards-plugin

ynk888 · July 3, 2024, 11:18am

Versions (relevant - OpenSearch/Dashboard/Server OS/Browser):

2.15

Describe the issue:

My session still disappear after 1hour
I was think that after fix
released in 2.13

github.com/opensearch-project/security-dashboards-plugin

Fix cookie expiry issues from IDP/JWT auth methods, disables keepalive for JWT/IDP

opensearch-project:main ← derek-ho:idp-timeout

opened 10:43PM - 08 Feb 24 UTC

derek-ho

+617 -44

### Description There have been several complaints about timeouts within 1 hour… for OSD, even when the token/assertion passed back from the IDP lasts longer. For SAML one comment on the issue was to disable keepalive setting. This is because this [block of logic](https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/authentication_type.ts#L162) in the authentication for keepalive would keep over-writing the expiryTime of the cookie to be a shorter value. In order to fix it, I took the max of the current value and the current time + session time. I believe this should have no regression, since keeping the session alive should never shorten the existing expiry of the cookie. However, this change is in a shared part of the code for all flows, so I may need extra eyes on this. I believe we need to close on #1711 before the full confusion around this is resolved. For OIDC, the expiry time is confusingly set on two values, [here](https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/openid/routes.ts#L199) and [here](https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/openid/routes.ts#L202). For requests, there seems to be both validation we perform on the plugin side of the cookie [here](https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/auth/types/openid/openid_auth.ts#L269) and validation that Hapi performs on the cookie [here](https://github.com/opensearch-project/security-dashboards-plugin/blob/main/server/session/security_cookie.ts#L71). To me it seems like there is a mismatch of focusing on the `cookie.credentials.expires_at`, instead of `cookie.expiryTime`. In order to be more consistent with the other forms of auth, I removed the `cookie.credentials.expires_at` property and instead opted to keep `cookie.expiryTime`, like the other forms of auth, and this fixed the issue. After initial review, the scope of this PR expanded to disable keepalive support for JWT based auth, including JWT, SAML, OIDC. In these cases, the session should not be kept alive beyond what the exp in the claim/assertion/JWT itself is. It also adds support to read the expiry of JWT if it exists and use the minimum of that the session TTL setting. ### Category [Enhancement, New feature, Bug fix, Test fix, Refactoring, Maintenance, Documentation] ### Why these changes are required? ### What is the old behavior before changes and new behavior after changes? The behavior for multi auth, proxy auth, basic auth remains unchanged. For JWT: the previous behavior was that sessions were the length of config.session.ttl. Subsequent user calls invoked the keepalive block to extend the session by config.session.ttl. The new behavior is that sessions are the minimum of (config.session.ttl and the expiry claim on the JWT, if it exists). Subsequent user calls invoke the keepalive block to extend the session to the lesser of (config.session.ttl and the expiry claim on the JWT, if it exists). For SAML: The previous behavior was the sessions were the length of the assertion. However, subsequent user calls if keepalive was enabled were potentially decreasing the value of the expirytime of the cookie. The new behavior is that sessions are the length of the assertion. Subsequent user calls to keep alive, even if it is enabled, will do nothing to the expirytime of the cookie. FOR OIDC: The previous behavior was that sessions were the length of config.session.ttl. This was due to a bug/reading of the wrong variable on the security cookie. The new behavior is that sessions are the length of the exp claim of the OIDC token, or the expiry of the token itself. Subsequent user calls to keep alive, even if it is enabled, will do nothing to the expirytime of the cookie. ### Issues Resolved Not sure if it solves them completely, but should fix #828 #159 much better. I think this PR can close those two issues, and we can keep #1711 as a tracking issue for session related confusion. Also fix: https://github.com/opensearch-project/security-dashboards-plugin/issues/1784 ### Testing [Please provide details of testing done: unit testing, integration testing and manual testing] ### Check List - [x] New functionality includes testing - [ ] New functionality has been documented - [x] Commits are signed per the DCO using --signoff By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license. For more information on following Developer Certificate of Origin and signing off your commits, please check [here](https://github.com/opensearch-project/OpenSearch/blob/main/CONTRIBUTING.md#developer-certificate-of-origin).

Configuration:

config:
    opensearch_dashboards.yml: |
       opensearch_security.cookie.secure: false
       opensearch_security.cookie.ttl: 43200000
       opensearch_security.session.ttl: 43200000
       opensearch_security.session.keepalive: true
       opensearch_security.openid.refresh_tokens: true

Relevant Logs or Screenshots:
I found differences that security-dashboard-plugin code looks different in my container than in github.

      if (this.config.session.keepalive) {
        cookie!.expiryTime = this.getKeepAliveExpiry(cookie!, request);
        this.sessionStorageFactory.asScoped(request).set(cookie!);
      }
Plain Text
        if (this.config.session.keepalive) {
          cookie.expiryTime = this.getKeepAliveExpiry(cookie, request);
          this.sessionStorageFactory.asScoped(request).set(cookie);
        }

Mantas · August 28, 2024, 10:52am

Hi @ynk888,

What IdP are you using?

Thanks,
mj

ynk888 · September 12, 2024, 8:36am

AzureAD

Mantas · September 16, 2024, 1:01pm

@ynk888, have you checked this: OpenSearch dashboards gets 401 unauthorized after 1 hour - #4 by karlo95

Topic		Replies	Views
Opensearch Dashboards with OpenID auth - frequent session timeouts Security troubleshoot , configure	1	685	September 16, 2023
Session expiration and keepalive settings ignored Security	3	193	July 10, 2024
Cookie still active even after logout Security security-issue	3	25	October 17, 2024
Jwt error in opensearch Security	3	598	January 12, 2023
OpenSearch Dashboards log out not clearing session cookie validity Security	1	661	April 22, 2022

Differences between security-dashboards-plugin

Related Topics