Project

General

Profile

Bug #2015

redmine/gerrit authentication expires too often/frequently

Added by laforge 8 months ago. Updated 8 months ago.

Status:
In Progress
Priority:
Normal
Assignee:
Category:
redmine
Target version:
-
Start date:
04/20/2017
Due date:
% Done:

0%

Spec Reference:

Description

From an e-mail by Sylvain:

I'm not sure if it's just me or if I'm using it wrong but I'm always
annoyed when I have to login to gerrit ...

1) I shouldn't be logged out at all ... it's not a high security stuff
that session should be kept open for a long time, like > 1 week
without issues ...
2) I have to retype the openid login url. I mean there is a login with
Yahoo and login with Launchpad Id dedicated link, isn't there a way to
add, "login with your osmocom redmine account" link ?
3) Then I'm redirected to redmine, where I have to login as well,
because again for some reason I've been logged out. Same comment as
above, unless I explicitely log out, that session should last for ever
pretty much ...
4) When I then login to redmine, I get redirected to the OpenID end
point but at this point the "open id state" or whatever has been lost
and so I need to go back to gerrit and re-do the whole login process
so it can do it in one go without being interrupted by the redmine
login process and finally log me into gerrit ...

I can assure you I gave up on the whole process more than one time ....

Cheers,

   Sylvain

Let's track in this ticket only the question why the authentication expires that frequently.

History

#1 Updated by zecke 8 months ago

Yes, unfortunately I have seen all of these. Will look at it during OsmoDevCon.

  • Gerrit should cache the log-in for months. I suspect the OpenID "token" holds an expiry as well. Need to learn/investigate it
  • Button. Yes, but then we permanently need to rebase/patch it. But true
  • I need to figure out if redmine can keep the info after the redirect..

#2 Updated by neels 8 months ago

In the redmine admin, I see an "Autologin: disabled" item that can be set to 1, 7, 30 or 365 days. I set it to 30 days to see whether it helps.

Also there's a "Session maximum lifetime" set do disabled, assuming that that means there is no expiration.

#3 Updated by zecke 8 months ago

  • Status changed from New to In Progress
  • I don't see an expiration handling in the OpenID gerrit code => not sure what to do. But "rememberme" seems to have an effect
  • I have added an "Osmocom Login button" to the page.

Going to continue to look at how to improve it.

Also available in: Atom PDF