Not handling OpenId code flow authentication: No nonce code present. Login window timed out #3716
-
General remarks Describe the bug We've been attempting to integrate our Oauth server (ping federate) with Kiali using Authorization Code flow and exhibiting strange issues. The session only lasts 5 minutes once the user has successful logged in and can see dashboard/config in Kiali UI. In the log we see this error after the user has completed the login.
I find it strange Kiali is letting the user view config/etc but also says the login window timed out, which I guess means the auth has not been fully successful and the 5mins of usage the user gets stems from 'authentication_timeout'. I'm happy to accept this is something my side to configure, but I'm not sure what I'm missing here. Any clues would be much appreciated.
Payload
Versions used To Reproduce
Expected behavior |
Beta Was this translation helpful? Give feedback.
Replies: 9 comments 1 reply
-
Hi @eperdeme I'm wondering when you are getting the Also, when you talk about |
Beta Was this translation helpful? Give feedback.
-
Hi @israel-hdez thank you for your reply. I'm feeling a little lost in this area. So the journey is as follows. I visit the kiali UI in my web browser which is running behind Istio GW+VS. As the Kiali UI is loading and showing me logged in (username in top right corner) and dashboard/graphs rendering this error appears in the pod log (nothing visual on browser) (i've got debug level logging) After 5 minutes my session to Kiali expires with prompts appearing prior to the 5 minuites marker saying to save my work before X seconds. The 'authentication_timeout' I speak of is the kiali config value which I believe controls the duration to wait for login process to be successful, which is 5 minutes default I believe, which I guess is the reason my session only lasts 5 minutes as Kiali does not believe the auth flow had finished....even though I somehow get in to Kiali, but thats my guess. |
Beta Was this translation helpful? Give feedback.
-
The The 5 minute session is controlled in your OIDC provider. This doc page from Ping may be relevant: https://docs.pingidentity.com/bundle/pingfederate-93/page/jzv1564002996192.html. Notice that it's stated that the default "ID Token Lifetime" is 5 minutes. You will need to configure a longer token lifetime if you need a longer session. |
Beta Was this translation helpful? Give feedback.
-
Ah I've just found the setting that controls the tokens life, thank you for the link. Bit of a silly question but my understanding was a tokens life in auth code flow would be refreshed by the browser transparent to the user, so even with a 5 mins expiry the token would get refreshed prior. Is this additional functionality Kiali does not support or is that just my misunderstanding of oauth2. Either way thank you for the reply it's pointed us in the right direction. |
Beta Was this translation helpful? Give feedback.
-
If this isn't a bug, please convert this issue to a Discussion (so we don't pollute the bug list with questions/discussions). |
Beta Was this translation helpful? Give feedback.
-
Yes, it's a part of the OpenId spec that isn't implemented in Kiali. Thus, the need for longer token lifetimes. |
Beta Was this translation helpful? Give feedback.
-
I'm converting this to a GitHub discussion. It will be closed and discussion can continue on the new place. |
Beta Was this translation helpful? Give feedback.
-
any updates on the solution here? i am getting the same error when trying to log in |
Beta Was this translation helpful? Give feedback.
-
@israel-hdez any pointer to the reported issue, I use the same Oauth issuer for Grafana and Kiali and in the response for Kiali I see the timeout is set to 5 mins which is issued by the issuer. Kiali: Grafana: |
Beta Was this translation helpful? Give feedback.
The
authentication_timeout
in Kiali, as youwayknow, controls how much time to wait before Kiali won't accept authentication. If you click "Login" in Kiali you get redirected to the login form of your OIDC provider (Ping, for your case). If you do not enter your credentials before theauthentication_timeout
(5 minutes, by default), even if you write valid credentials after that time has passed and Ping lets accepts them, Kiali will simply reject authentication.The 5 minute session is controlled in your OIDC provider. This doc page from Ping may be relevant: https://docs.pingidentity.com/bundle/pingfederate-93/page/jzv1564002996192.html. Notice that it's stated that the default "ID Token…