SSO session lifetime is not affected by configuration

[originswift-sys]

SSO session lifetime is not affected by configuration

Description

Unless I'm missing something here, the Session timeout value of tenants have no effect on the SSO session expiry. I currently have it set to 31536000 seconds and the SSO session still expires as if this wasn't configured at all.

Affects versions

1.27.2, 3 nodes (Kubernetes)
Also experienced same in single node mode (Docker)

Expected behavior

Increasing Session timeout should increasing the session lifetime accordingly, as documented.

Platform

(Please complete the following information)

• Device: Desktop
• OS: Windows 10 & Ubuntu 20.04
• Latest versions of Chrome, Firefox and Edge
• PostgresSQL 13.3

[mooreds]

Hi @originswift-sys . Thanks for using FusionAuth.

Can you please provide replication steps as to how you are verifying that the SSO session expires in a way you don't expect (API call, looking at cookie lifetime, using a sample app, etc)?

[originswift-sys]

So I've setup SSO. I hit the /oauth2/authorize with the correct params to use the auth code flow, and it all works great. I've verified that the session cookie expiry is set to the time I configured in the oauth tab of the tenant. Problem is, if I hit the /oauth2/authorize after an hour passes, it removes the cookie and prompts for login again with the toast that reads like "you've been logged out of fusionauth"

[originswift-sys]

I've tried numerous previous versions of fusionauth. Same result.
Deployed differently on different machines. Same result.
No logs indicate anything weird in dev mode.
Just consistent hourly session death.

[mooreds]

@jobannon do you have time to try to replicate?

[robotdan]

To ensure you are using the right config, there are two timeouts you will want to ensure are configured.

1. SSO timeout. This is configured in Tenant > OAuth > Session timeout. This is the TTL in seconds that will control how long the SSO session lives.
2. The FusionAuth admin session timeout. Applications > FusionAuth > Edit > JWT > Refresh Token settings > Refresh Token duration. Default is 60 minutes.

What values do you have configured for each of these?

[originswift-sys]

@robotdan

1. 31536000
2. The default

Is the refresh token lifetime coupled to SSO session? I asserted that SSO session would outlive JWTs and catalyze obtaining new ones, regardless of the expiry of the tokens.

Also, my session has been alive for over 12 hours ever since I updated the session timeout of the default tenant to 31536000 as well. Previously, I only configured the tenant I created. I'm going to undo the default tenant session config now, destroy all sessions and see if I can decipher what's really going on.

[robotdan]

Your assertion is correct, if your SSO TTL is greater than your FusionAuth admin session TTL, then I would expect the FusionAuth admin session to die, it will kick you over to SSO, and because SSO is still alive, it will log you back into FusionAuth admin seamlessly, giving you a new FusionAuth session.

Is this on localhost, or a prod URL using https?

[originswift-sys]

Production, using HTTPS.

I'm fine with a short-lived fusionauth admin session. My aim is to have SSO sessions for apps under the tenant I created last for at least a year. That is, the access token and refresh tokens of each app are allowed to die on inactivity, but the SSO session for that tenant lives long and the users don't have to supply login credentials again when the apps encounter a 401 and throw them to /oauth2/authorize (per my design).

This didn't work until I decided to try configuring the default tenant. The SSO session for the custom tenant kept dying as if it had some coupling with the default tenant session lifetime (I reckon it shouldn't?), which was still on the default 3600 seconds.

[robotdan]

When you end up having to login again after an hour - if you view the user's profile in FusionAuth admin, do you still see their SSO token under the "Sessions" tab?

[originswift-sys]

I'll observe and feedback after an hour.

[originswift-sys]

@robotdan the SSO session disappears after an hour as I returned the default tenant's session lifetime to 3600.

This implies the global SSO session is coupled to default tenant's session lifetime, and the session lifetime of other tenants are ineffective.

[robotdan]

There is only one SSO, which is the FusionAuth SSO, I believe this is then always configured by the default tenant value for Session timeout.

However, I see that this value is available on each tenant, I don't know if that is a UI bug only or if we using it elsewhere.

We'll investigate further.

Internal note: Review usages of tenant.httpSessionMaxInactiveInterval as it relates to SSO and the FusionAuth SSO token revocation.

[robotdan]

@jobannon can you set this up and attempt to replicate please.

[jobannon]

Interesting. This seems adjacent to the main issue but:

1. If I spin up our node/typescript example app. And create an SSO_test_app
2. Log in
3. As expected, I am presented with a logout button after logging in. This would indicate to me that I have an SSO session setup.

-however-

1. If I use the FA admin UI and navigate to the login URL (for instance, below)

https://local.fusionauth.io/oauth2/authorize?client_id=f61c3986-9719-4792-9ec1-1a6551e2dc76&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Foauth-redirect

I am not automatically logged in based on the previous session. This could be expected behavior as maybe the node app and the direct copypasta from the admin screen creates slightly different cookies in the browser.

-More importantly, after an hour-

• The FusionAuth Admin UI logged me out as I would expect
• The node application kept my logged-in session
• The direct IdP OAuth2 Login URL worked(https://local.fusionauth.io/oauth2/authorize?client_id=f61c3986-9719-4792-9ec1-1a6551e2dc76&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Foauth-redirect)

This was all tested on local dev setup.

Also, I tested the Admin UI session timeouts (for sake of exploration, I ended up shortening the admin window duration). If I set the default tenant to 60 seconds on the OAuth2, and the refresh token duration to one minute and the JWT duration to 60 seconds, then I become logged out very quickly, as expected!