karma: Follow 302 redirects when fetching /alerts.json

I use Karma with alertmanager.proxy: true and authentication/authorization handled by a reverse proxy (Cloudflare Access to be precise).

The issue is that the session tokens set by Cloudflare Access expire after a while, so when Karma tries to fetch from /alerts.json, it gets an HTTP 302 reply and stops there. If it followed the redirects instead, it would be able to renew its token (through the magic of SSO), and then it could fetch the alerts as if nothing had happened.

Does that make sense?

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Comments: 21 (17 by maintainers)

Most upvoted comments

Yes, errors in console are expected. Here’s what happens:

  • You open karma.example.com with some proxy service between your browser and karma itself
  • Auth proxy in between will redirect your browser on the / request to authenticate and issue some form of an token
  • If you leave browser running eventually that auth token expires
  • Next request for /alerts.json will be intercepted by proxy auth, instead of passing it to karma backend auth proxy will try to redirect it some auth page - this often breaks CORS since that auth page will likely be under different origin than karma.example.com (like sso.example.com) or is missing CORS headers, which means that the browser will block such request, /alerts.json requests will fail, plus it’s a XHR request so it won’t render that auth page in the browser anyway
  • The result is that karma will keep failing to fetch data from /alerts.json until you reload the page, which triggers in-browser redirect to the auth page again, the loop restarts

This is really poor UX you’ll get from auth proxies, any web service routed via one will behave in a similar way.

To minimise the disruption karma tries to detect this situation and help those auth requests complete by disabling CORS headers after N number of failures. Disabling CORS headers means that browser won’t block the request, it will get redirected to the auth proxy and there’s a good chance it will trigger token refresh, which will then allow subsequent requests to work. But since we first need to observe some failures to know that things ain’t right and it might be time to try without CORS you will see some failing requests in the console.

+2
prymitive on Dec 1, 2020

For keycloak it seems to work also. No manual reload anymore needed… Thank you very much. You earn your Christmas gifts very well!

+1
khauser on Dec 23, 2019

I don’t belive that there’s anything we can do to refresh auth sessions while doing fetch (by following redirects or something else), especially that some auth implementations might ask for use input (input 2nd factor auth, choose the account to use, etc) so the best solution I can think of right now is:

  • have retries for failed fetch requests (don’t wait the usual 30s or so but retry faster)
  • after a few consecutive failures reload the page

Will try to add that soon

+1
prymitive on Dec 18, 2019
Read more comments on GitHub
← karma: Don't work with the latest version api (v2) alertmanager
karma: Wrong receiver →