Not handling OpenId code flow authentication: No nonce code present. Login window timed out

[eperdeme]

General remarks

Describe the bug

We've been attempting to integrate our Oauth server (ping federate) with Kiali using Authorization Code flow and exhibiting strange issues. The session only lasts 5 minutes once the user has successful logged in and can see dashboard/config in Kiali UI.

In the log we see this error after the user has completed the login.

INF Not handling OpenId code flow authentication: No nonce code present. Login window timed out.

I find it strange Kiali is letting the user view config/etc but also says the login window timed out, which I guess means the auth has not been fully successful and the 5mins of usage the user gets stems from 'authentication_timeout'.

I'm happy to accept this is something my side to configure, but I'm not sure what I'm missing here. Any clues would be much appreciated.

auth:
 strategy: openid
 openid:
    client_id: "dev-kiali"
    disable_rbac: true
    issuer_uri: "https://sso.dev.corp.com"
    scopes:
    - "openid"
    - "email"
    username_claim: sub
    https_proxy: "http://webproxy:3128"
    http_proxy: "http://webproxy:3128"

Payload

{
  "sub": "nflynn@corp.co.uk",
  "aud": "dev-kiali",
  "jti": "ZKbdVusEYJLlhD7BGSwwQz",
  "iss": "https://sso.dev.corp.com",
  "iat": 1613507120,
  "exp": 1613507420,
  "auth_time": 1613505379,
  "nonce": "0c49c0aac36587219ffd8d2f6efc268d42d1738b9fd1674ca0abb4a1"
}

Versions used
Kiali:1.30.0
Istio:1.8
Kubernetes flavour and version: EKS - v1.18.9-eks-d1db3c

To Reproduce
Steps to reproduce the behavior:

1. Configure Ping Federate for the oauth app
2. Login to Kiali following the SSO
3. Get booted out after 5 minutes

Expected behavior
I stay logged.

[israel-hdez]

Hi @eperdeme

I'm wondering when you are getting the INF Not handling OpenId code flow authentication: No nonce code present. Login window timed out. message???. This is usually a message that is printed when a user is authenticating. I want check if it's being printed on a different moment.

Also, when you talk about authentication_timeout are you talking about the Kiali setting or about your OIDC session timeout setting?

[eperdeme]

Hi @israel-hdez thank you for your reply. I'm feeling a little lost in this area.

So the journey is as follows.

I visit the kiali UI in my web browser which is running behind Istio GW+VS.
The kiali UI renders and has the login button which starts the oauth process redirecting me to Ping to authenticate.
I enter my credentials as usual to Ping and then get redirect back to the Kiali UI.

As the Kiali UI is loading and showing me logged in (username in top right corner) and dashboard/graphs rendering this error appears in the pod log (nothing visual on browser) (i've got debug level logging)
INF Not handling OpenId code flow authentication: No nonce code present. Login window timed out.

After 5 minutes my session to Kiali expires with prompts appearing prior to the 5 minuites marker saying to save my work before X seconds.

The 'authentication_timeout' I speak of is the kiali config value which I believe controls the duration to wait for login process to be successful, which is 5 minutes default I believe, which I guess is the reason my session only lasts 5 minutes as Kiali does not believe the auth flow had finished....even though I somehow get in to Kiali, but thats my guess.

[israel-hdez]

The authentication_timeout in Kiali, as you way know, controls how much time to wait before Kiali won't accept authentication. If you click "Login" in Kiali you get redirected to the login form of your OIDC provider (Ping, for your case). If you do not enter your credentials before the authentication_timeout (5 minutes, by default), even if you write valid credentials after that time has passed and Ping lets accepts them, Kiali will simply reject authentication.

The 5 minute session is controlled in your OIDC provider. This doc page from Ping may be relevant: https://docs.pingidentity.com/bundle/pingfederate-93/page/jzv1564002996192.html. Notice that it's stated that the default "ID Token Lifetime" is 5 minutes. You will need to configure a longer token lifetime if you need a longer session.

[eperdeme]

Ah I've just found the setting that controls the tokens life, thank you for the link.

Bit of a silly question but my understanding was a tokens life in auth code flow would be refreshed by the browser transparent to the user, so even with a 5 mins expiry the token would get refreshed prior.

Is this additional functionality Kiali does not support or is that just my misunderstanding of oauth2.

Either way thank you for the reply it's pointed us in the right direction.

[jmazzitelli]

If this isn't a bug, please convert this issue to a Discussion (so we don't pollute the bug list with questions/discussions).

[israel-hdez]

Bit of a silly question but my understanding was a tokens life in auth code flow would be refreshed by the browser transparent to the user, so even with a 5 mins expiry the token would get refreshed prior.

Is this additional functionality Kiali does not support or is that just my misunderstanding of oauth2.

Yes, it's a part of the OpenId spec that isn't implemented in Kiali. Thus, the need for longer token lifetimes.
I think we are expecting a contribution for this to be implemented, because the team is spending time on other efforts.

[israel-hdez]

I'm converting this to a GitHub discussion. It will be closed and discussion can continue on the new place.

[arctiqaurora]

any updates on the solution here? i am getting the same error when trying to log in

[kuldeeps88]

@israel-hdez any pointer to the reported issue, I use the same Oauth issuer for Grafana and Kiali and in the response for Kiali I see the timeout is set to 5 mins which is issued by the issuer.
So I believe we need to add token refresh logic in the backend if the user session is active.

Kiali:
Set-Cookie: kiali-token-openid-nonce=XXXX$%@f; Path=/kiali; Expires=Wed, 28 Apr 2021 01:27:00 GMT; HttpOnly; SameSite=Lax

Grafana:
Set-Cookie: oauth_state=XXXX; Path=/grafana/; Max-Age=60; HttpOnly; SameSite=Lax

[israel-hdez]

This is what I answered in this thread: #3716 (comment).

And about the refresh token logic, I also answered in this same thread that we are expecting some community contribution ( #3716 (comment)). Usually, it is possible to configure larger token lifespans to avoid the need of the "refresh token logic". If you need this logic, I hope you can contribute to implementing it
.