Page MenuHomeSoftware Heritage

django/backends: Handle error when user session is no longer active
ClosedPublic

Authored by anlambert on Aug 23 2021, 3:15 PM.

Details

Summary

When a user session has been terminated without using the logout view
(for instance a user can logout from all its authenticated sessions
using the Keycloak account UI), the expired OIDC profile is still
in webapp cache which causes errors and prevent new user logins.

So ensure to remove expired profile from cache when detecting Keycloak
session is no longer active in django authentication backend.

Related to T3496

Diff Detail

Repository
rDAUTH Common authentication libraries
Lint
Automatic diff as part of commit; lint not applicable.
Unit
Automatic diff as part of commit; unit tests not applicable.

Event Timeline

Build is green

Patch application report for D6122 (id=22148)

Rebasing onto 2da72f399b...

Current branch diff-target is up to date.
Changes applied before test
commit 508b476db7c5283f6dcbb44e248109b07e39e66e
Author: Antoine Lambert <anlambert@softwareheritage.org>
Date:   Mon Aug 23 15:09:49 2021 +0200

    django/backends: Handle error when user session is no longer active
    
    When a user session has been terminated without using the logout view
    (for instance a user can logout from all its authenticated sessions
    using the Keycloak account UI), the expired OIDC profile is still
    in webapp cache which causes errors and prevent new user logins.
    
    So ensure to remove expired profile from cache when detecting Keycloak
    session is no longer active in django authentication backend.
    
    Related to T3496

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/85/ for more details.

This revision is now accepted and ready to land.Aug 23 2021, 5:05 PM

nice catch.

I stumbled on the issue that morning, currently I cannot login to the webapp because of it ...
We do a similar processing in the bearer token backend but we miss to process the other auth backend.

I will deploy that asap.