Uploaded image for project: 'Camunda Optimize'
  1. Camunda Optimize
  2. OPT-6366

Lifetime of Optimize session in SaaS is not aligned with lifetime of service token

XMLWordPrintable

    • 2
    • S

      Context:

      With the storage as cookie and usage of the service accessToken with OPT-6274 there can be a mismatch of it's lifetime and the auth cookie that represents the user session.
      In the case that the X-Optimize-Service-Token expires before X-Optimize-Authorization some requests of Optimize that make use of the X-Optimize-Service-Token may fail with a HTTP status 401.
      With OPT-5998 this would result in a page reload to reinitialise the OAuth2 authentication flow (assuming a 401 means the user session expired) but given the case that the X-Optimize-Authorization cookie could still ne valid this results in an endless refresh loop.

      AT:

      • ensure the expiry of either the two cookies X-Optimize-Authorization or X-Optimize-Service-Token results in a full recreation of the user session with valid new cookies
      • disable the automatic refresh of the X-Optimize-Authorization cookie in a SaaS environment
      • ideally align the expiry of both cookies, using the shotest lifetime either being the one of the access-token or the config `security.auth.token.lifeMin`

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              sebastian.bathke Sebastian Bathke
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: