leapp: AWS SSO Error after session expired

Describe the bug

In the morning I logged in through SSO. After the session expired, when I try to choose the account, I’m getting “AWS SSO Error”. Logs:

[2021-04-16 20:27:17.794] [info] [renderer] execute from Leapp:  {
  error: Error: Command failed: /usr/local/bin/az account clear 2>&1
      at ChildProcess.exithandler (child_process.js:312:12)
      at ChildProcess.emit (events.js:310:20)
      at maybeClose (internal/child_process.js:1021:16)
      at Socket.<anonymous> (internal/child_process.js:443:11)
      at Socket.emit (events.js:310:20)
      at Pipe.<anonymous> (net.js:672:12) {
    killed: false,
    code: 127,
    signal: null,
    cmd: '/usr/local/bin/az account clear 2>&1'
  },
  standardout: '/bin/sh: /usr/local/bin/az: No such file or directory\n',
  standarderror: ''
}
[2021-04-16 20:27:17.878] [error] [renderer] [t] UnauthorizedException: Session token not found or invalid UnauthorizedException: Session token not found or invalid
    at Object.extractError (file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:929950)
    at constructor.extractError (file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:875253)
    at constructor.callListeners (file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:2705757)
    at constructor.emit (file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:2705467)
    at constructor.emitEvent (file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:2889995)
    at constructor.e (file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:2885502)
    at r.runTo (file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:834476)
    at file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:834682
    at constructor.<anonymous> (file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:2885772)
    at constructor.<anonymous> (file:///Applications/Leapp.app/Contents/Resources/app.asar/dist/leapp-client/main.a0a5735f897a9d1b1e5c.js:2:2890051)

To Reproduce

Log in through SSO
Wait 12 hours
Try to change account under the same SSO (although I don’t know if that’s fully reproducible every time)

Desktop (please complete the following information):

OS: macOS
OS Version: 10.15.6
Leapp Version: 0.4.7

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 39 (33 by maintainers)

Commits related to this issue

fix: corrected session timeout for AWS Single Sign-On session see the issue for details Reviewed-by: andreacavagna01 Refs #108 #105 — committed to Noovolari/leapp by andreacavagna01 3 years ago
fix: corrected session timeout for AWS Single Sign-On session see the issue for details Reviewed-by: andreacavagna01 Refs #108 #105 — committed to Noovolari/leapp by andreacavagna01 3 years ago

Most upvoted comments

PS: we’ve to manage this exception and start a new login process if the access token is no more valid

ericvilla on Feb 3, 2022

The problem is the expiration time given by AWS SSO auth method that is not corrected, will work on this today, adding an extra limitation to re login again

andreacavagna01 on Apr 23, 2021

Hi @m-radzikowski, thank you for the detailed response! The steps you followed to reset Leapp are right. I’ve tested the behavior locally and it works; logs are written down into the log path, which is defined in https://github.com/Noovolari/leapp/blob/35c5f1c04e85ee7f167bea9a537f98884c4e30c8/src/app/services/app.service.ts#L78 I’ve logged the AWS SSO access token expiration time, which is persisted into the ./Leapp-lock.json file. I logged in a few minutes ago, and the resulting log says:

EXPIRATION TIME: Tue Feb 01 2022 19:25:01 GMT+0100 (Central European Standard Time)

In my previous test - not this one - I’ve forced the AWS SSO Integration’s expiration by hard-coding an expired Date’s ISOString in the payload of the following method invocation: https://github.com/Noovolari/leapp/blob/35c5f1c04e85ee7f167bea9a537f98884c4e30c8/src/app/services/aws-sso-integration.service.ts#L89

I’m still investigating the reason behind the behaviour you reported. I’ll keep you updated and provide you - and anyone who is encountering the same problem - a solution. Every suggestion is welcome!

ericvilla on Feb 1, 2022

@ericvilla @urz9999 I updated to v0.8.1 yesterday and have problems again. Twice from yesterday.

First time after the update to v0.8.1. I removed the ~/.Leapp/Leapp-lock.json file and set up sessions again from fresh. It worked but then (probably after 12 hours) I’m getting the error again.

I see two changes mentioned in the release notes related to AWS SSO, so they may be related:

For now, I will revert to 0.8.0.

m-radzikowski on Jan 27, 2022