okta - unable to renew the session. The session store may not support this feature

[lambertpan]

Describe the bug
I use v0.9.6.1, and for sso I use okta. I get bad gateway error, it only works if I cleanup the cookie or open datahub in incognito.

To Reproduce
Steps to reproduce the behavior:

1. Go to 'www.mydatahub.com'
2. Get the following error

3. And in the datahub-frontend pod, I see the following error 'Unable to renew the session. The session store may not support this feature'

[YuriyGavrilov]

have the same

it seems something wrong with this pr #7011

[YuriyGavrilov]

After cookies clearing works fine.

[lambertpan]

Cookie clear makes it work, but it reappears once the session expired.

[MioOgbeni]

Same here, It also reappears when I logout from GUI.

Edit: Im not using Okta, but Keycloak. It will be generic problem with OIDC session caching.

[MioOgbeni]

Could it be fixed by #7088?? Can anyone try upgrading to v0.10.0 version?

[lambertpan]

I update to v0.10.0 - seems it is fixed.

[caiopavanelli]

Same here, but I'm on v0.10.0. After the session expires, or if I click on logout, I'll get a 502 if I try to open Datahub again.
Clearing cookies solves the problem.
Using Okta.

[lambertpan]

It is not fixed. As @caiopavanelli mentioned if I logout, I get the bad gateway.

[caiopavanelli]

One thing I noticed is that once I get the 502 when trying to access the frontend, the debug log in the frontend service prints the following line. If I keep refreshing the page these lines repeat as well.

# /tmp/datahub/logs/datahub-frontend/datahub-frontend.debug.lo
2023-03-01 12:20:45,348 [application-akka.actor.default-dispatcher-18] DEBUG o.p.o.r.OidcRedirectionActionBuilder - Authentication request url: https://************.okta.com/oauth2/v1/authorize?scope=openid+profile+email+groups&response_type=code&redirect_uri=https%3A%2F%2F************%2Fcallback%2Foidc&state=************&code_challenge_method=S256&client_id=************&code_challenge=************
2023-03-01 12:20:45,348 [application-akka.actor.default-dispatcher-18] DEBUG o.p.play.http.PlayHttpActionAdapter - requires HTTP action: 302

If I navigate to that link in the browser, I get an error from my OIDC Provider (Okta). However, the following lines are printed to the debug log.

2023-03-01 12:20:57,331 [application-akka.actor.default-dispatcher-13] DEBUG o.p.core.engine.DefaultCallbackLogic - === CALLBACK ===
2023-03-01 12:20:57,331 [application-akka.actor.default-dispatcher-13] DEBUG o.p.c.c.f.DefaultCallbackClientFinder - result: [oidc]
2023-03-01 12:20:57,331 [application-akka.actor.default-dispatcher-13] DEBUG o.p.core.engine.DefaultCallbackLogic - foundClient: #CustomOidcClient# | name: oidc | callbackUrl: https://************/callback | callbackUrlResolver: org.pac4j.core.http.callback.PathParameterCallbackUrlResolver@68737b76 | ajaxRequestResolver: org.pac4j.core.http.ajax.DefaultAjaxRequestResolver@394cd712 | redirectionActionBuilder: org.pac4j.oidc.redirect.OidcRedirectionActionBuilder@51e6ded | credentialsExtractor: org.pac4j.oidc.credentials.extractor.OidcExtractor@40beb6dd | authenticator: auth.sso.oidc.custom.CustomOidcAuthenticator@3365cd77 | profileCreator: org.pac4j.oidc.profile.creator.OidcProfileCreator@6cce684e | logoutActionBuilder: org.pac4j.oidc.logout.OidcLogoutActionBuilder@1ac9013f | authorizationGenerators: [auth.sso.oidc.OidcAuthorizationGenerator@2ff444e5] | configuration: #OidcConfiguration# | clientId: ************ | secret: [protected] | discoveryURI: https://************.okta.com/.well-known/openid-configuration | scope: openid profile email groups | customParams: {} | clientAuthenticationMethod: client_secret_basic | useNonce: false | preferredJwsAlgorithm: null | maxAge: null | maxClockSkew: 30 | connectTimeout: 500 | readTimeout: 5000 | resourceRetriever: com.nimbusds.jose.util.DefaultResourceRetriever@32672a19 | responseType: code | responseMode: null | logoutUrl: null | withState: true | stateGenerator: org.pac4j.core.util.generator.RandomValueGenerator@2d74b803 | logoutHandler: #DefaultLogoutHandler# | store: #GuavaStore# | size: 10000 | timeout: 30 | timeUnit: MINUTES | | destroySession: false | | tokenValidator: org.pac4j.oidc.profile.creator.TokenValidator@43644653 | allowUnsignedIdTokens: false | |
2023-03-01 12:20:57,332 [application-akka.actor.default-dispatcher-13] DEBUG o.p.o.c.extractor.OidcExtractor - Authentication response successful

After that, the PLAY_SESSION cookie gets cleared and I can access Datahub frontend again. Since I'm not logged out of the OIDC provider, It authenticates directly for me.

[SteveRiceUK]

Is there any update on this. Will the fix make a release?

[jjoyce0510]

If I navigate to that link in the browser, I get an error from my OIDC Provider (Okta). However, the following lines are printed to the debug log.

What error are you seeing exactly when you navigate to Okta? Trying to understand what could be happening here.

Also, I see that the screenshots above are showing 502 from NGINX.. Is everyone using some reverse proxy in front of datahub-frontend?

[jjoyce0510]

My guess is that this has to do with how this redirect is interacting with Nginx reverse proxy sitting in front of it. Because without that, we've not seen any issues here

[jjoyce0510]

Unsure whether something like this may be related -. https://serverfault.com/questions/1019510/nginx-is-not-redirecting-302-redirect-response-to-https

[caiopavanelli]

when the session cookie is expired, the UI tries to hit /sso which fails on that 502 page.
The debug log only shows that line

2023-03-01 12:20:45,348 [application-akka.actor.default-dispatcher-18] DEBUG o.p.play.http.PlayHttpActionAdapter - requires HTTP action: 302

If I enable TRACE logs for controller, then I get a stacktrace for the FoundAction at exactly that line.
I'll take a look on the link above though.

[github-actions]

This issue is stale because it has been open for 30 days with no activity. If you believe this is still an issue on the latest DataHub release please leave a comment with the version that you tested it with. If this is a question/discussion please head to https://slack.datahubproject.io. For feature requests please use https://feature-requests.datahubproject.io

[ho0ber]

Still having this issue with v0.10.0

[dshershov]

I have the same issue with OIDC keycloak auth with 502 Bad gateway and
2023-04-17T15:38:05+05:00 2023-04-17 10:38:05,679 [application-akka.actor.default-dispatcher-15] ERROR o.p.core.engine.DefaultCallbackLogic - Unable to renew the session. The session store may not support this feature

[mkamalas]

We also had the same issue in our installation of datahub. The 502 is returned by the ingress in kubernetes (GCP) when the response header size is large due to the FoundAction being passed in the returned_url of the PLAY_SESSION cookie.
The recent implementations of PAC4J is accepting String in RETURNED_URL but not v4.5.7. So, for getting around the issue, added below annotations in ingress to allow large cookie size. This fixed the 502 error.

metadata:
  annotations: 
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
    nginx.ingress.kubernetes.io/client-header-buffer-size: 100k
    nginx.ingress.kubernetes.io/http2-max-header-size: 96k
    nginx.ingress.kubernetes.io/large-client-header-buffers: 4 100k
    nginx.ingress.kubernetes.io/proxy-body-size: 150m
    nginx.ingress.kubernetes.io/proxy-buffer-size: 96k
    nginx.ingress.kubernetes.io/server-snippet: |
      client_header_buffer_size 100k;
      large_client_header_buffers 4 100k;

[ho0ber]

We also had the same issue in our installation of datahub. The 502 is returned by the ingress in kubernetes (GCP) when the response header size is large due to the FoundAction being passed in the returned_url of the PLAY_SESSION cookie. The recent implementations of PAC4J is accepting String in RETURNED_URL but not v4.5.7. So, for getting around the issue, added below annotations in ingress to allow large cookie size. This fixed the 502 error.

metadata:
  annotations: 
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/client-body-buffer-size: 64k
    nginx.ingress.kubernetes.io/client-header-buffer-size: 100k
    nginx.ingress.kubernetes.io/http2-max-header-size: 96k
    nginx.ingress.kubernetes.io/large-client-header-buffers: 4 100k
    nginx.ingress.kubernetes.io/proxy-body-size: 150m
    nginx.ingress.kubernetes.io/proxy-buffer-size: 96k
    nginx.ingress.kubernetes.io/server-snippet: |
      client_header_buffer_size 100k;
      large_client_header_buffers 4 100k;

This fixed my issue as well! Thank you!

[dshershov]

Awesome, thanks you a lot @mkamalas !
Added this line for increase cookie size nginx.ingress.kubernetes.io/proxy-buffer-size: 8k

[github-actions]

This issue is stale because it has been open for 30 days with no activity. If you believe this is still an issue on the latest DataHub release please leave a comment with the version that you tested it with. If this is a question/discussion please head to https://slack.datahubproject.io. For feature requests please use https://feature-requests.datahubproject.io

[github-actions]

This issue was closed because it has been inactive for 30 days since being marked as stale.