"Something went wrong" unrecoverable errors when using OIDC


Kibana enterprise user here (kibana 7.8.1/Ror Enterprise 1.27.1).

The issue:
Sometimes, after inactivity, when users go back on Kibana, they get redirected to “Something went wrong” with an error message stating that “username” is undefined.
It only appears if user is connected through OIDC.The “clear session” button does nothing (yet page reloads, same error message appears). The only way to escape is to remove cookie rorCookie_oidc_kc, then reload the page to correctly get redirected to /login.

My investigation:
From the timings, It seems that this can either be related to :

  • browser being suspended long enough for the OIDC session to expire but rorCookie_oidc_kc is kept (for example, login to kibana, suspend system while keeping browser running, wait more than OIDC Session timeout, try to navigate in kibana )
  • browser being suspended long enough for the rorCookie to expire but not rorCookie_oidc_kc (which is session scoped) (same operation as previous hypothesis, just different timing).
  • Or maybe another combination of timeouts between rorCookie/rorCookie_oidc_kc/OIDC session?

I’ve tried (using firefox dev tools) to remove rorCookie (like it expired) while keeping rorCookie_oidc_kc : I get almost the same behavior, only error message is different (identify is undefined).

I’ve not yet found any ways to reproduce the exact same behavior on a regular basis. (“Natural” occurrences are sporadic, hence it’s hard to debug)

Do you have any ideas of what could be wrong there?

Hello @pchesneau! Thank you for the great analysis as always.

I think what you are observing is resolved in 1.28.2, so please update to the latets ReadonlyREST Enterprise 1.29.9 for kibana 7.6.1

From our changelog page:

  • Fix (KBN) prevent SAML/OIDC initiated Kibana sessions from expiring after session_timeout_minutes despite continued interaction
1 Like

I’ll check and update as soon as possible (most probably this afternoon). I’ll keep you updated.

1 Like

It is deployed in our test environment, I’ll let it run for a few days and check if issue arise again.

1 Like

It seems to be good now. I’ll wait a few more days before closing this though.
Thanks a lot

End users did not report any other occurrences. Seems to be solved with the latest version. Thank you @sscarduzio

1 Like