harbor: Can't refresh token via Gitlab OIDC
If you are reporting a problem, please make sure the following information are provided:
Expected behavior and actual behavior:
When I login via gitlab with OIDC, the login state will expire very soon, yeah, 120 second. I hope it can be longer.
Steps to reproduce the problem:
- create a gitlab application, and select the scope for openid
- then configure the harbor to login via OIDC
- and auth works, but after 120s, it will return 401 of /api/users/current
- check the core.log, will find it failed to refresh the token
Versions: Please specify the versions of following systems.
- harbor version: [1.8.0]
- docker engine version: [18.06.1]
- docker-compose version: [1.22.0]
Additional context:
- Harbor config files: You can get them by packaging
harbor.cfgand files in the same directory, including subdirectory. - Log files:
109 Jun 17 20:28:02 172.19.0.1 core[3804654]: 2019-06-17T12:28:02Z [ERROR] [/common/api/base.go:69]: GET /api/users/current failed with error: {"code":401,"message":"UnAuthorize"}
110 Jun 17 20:28:02 172.19.0.1 core[3804654]: 2019/06/17 12:28:02 #033[1;44m[D] [server.go:2774] | 10.115.21.44|#033[43m 401 #033[0m| 2.131508ms| match|#033[44m GET #033[0m /api/ users/current r:/api/users/:id#033[0m
111 Jun 17 20:28:02 172.19.0.1 core[3804654]: 2019-06-17T12:28:02Z [INFO] [/common/utils/oidc/secret.go:110]: Failed to verify ID Token, error: oidc: token is expired (Token Expiry: 2019- 06-17 12:27:03 +0000 UTC), refreshing...
112 Jun 17 20:28:02 172.19.0.1 core[3804654]: 2019-06-17T12:28:02Z [ERROR] [/core/filter/security.go:509]: Failed to verify secret, error: failed to verify the secret: failed to get id_token from refresh response
About this issue
- Original URL
- State: closed
- Created 5 years ago
- Reactions: 2
- Comments: 15 (7 by maintainers)
@jsimomaa After re-reading the comments and #9267 I realize it’s maybe correct that we do not expect id token in the refresh response. thanks for reporting this.
I am also affected by this.