Internal Server Error happens with release 2.4.15.5 and timed out sessions
zandbelt opened this issue · comments
Discussed in #1197
Originally posted by HolgerHees March 14, 2024
After updating to version 2.4.15.3 and 2.4.15.5 I got a 500 after 1 hour of inactivity until I delete my cookies, followed by a relogin. First Time I saw it was directly after updating to 2.4.15.3, but still it is reproducible with latest version 2.4.15.5.
I opened my browser after 12 hours and everything was fine. I had to login again. Then I keeped my browser window open for an hour, without any interaction and got this error after a page reload. The one hour is related to my OIDCSessionInactivityTimeout setting.
This are the apache error logs
[2024-03-14 08:46:42.519687] [auth_openidc:error] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""invalid_request""
[2024-03-14 08:46:42.519751] [auth_openidc:error] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""Invalid Credentials""
[2024-03-14 08:46:42.519771] [auth_openidc:warn] oidc_refresh_token_grant: refresh token routine called but no refresh_token found in the session
[2024-03-14 08:46:42.519812] [auth_openidc:error] oidc_userinfo_retrieve_claims: refreshing access token failed, claims will not be retrieved/refreshed from the userinfo endpoint
and this is my configuration
OIDCProviderMetadataURL https://accounts.google.com/.well-known/openid-configuration
OIDCClientID <MYID>.apps.googleusercontent.com
OIDCClientSecret <MYSECRET>
OIDCCryptoPassphrase <MYCRYPTOPASSPHRASE>
OIDCScope "openid email profile"
OIDCRemoteUserClaim email
OIDCPassClaimsAs environment
OIDCCookie session_openidc
OIDCCookieDomain <MYDOMAIN>
OIDCDefaultURL https://<MYDOMAIN>/_auth/invalid/
OIDCRedirectURI https://<MYDOMAIN>/redirect_uri
OIDCSessionInactivityTimeout 3600
OIDCSessionMaxDuration 86400
OIDCStateMaxNumberOfCookies 10 true
OIDCCookieSameSite Off