Can't do anything when token expires in nativeUserMode

[sparkoo]

Describe the bug

having nativeUserMode: true, when openshift token expires, dashboard shows only error with no options to do anything.

Che version

next (development version)

Steps to reproduce

1. deploy with nativeUserMode enabled (default on current main on openshift with devworkspaces)
2. set openshift token lifetime to some reasonable time with oc edit oauth cluster and set

spec:
  tokenConfig:
    accessTokenMaxAgeSeconds: 120

3. wait for few minutes until openshift reconciles new configuration
4. login to Che
5. wait until token expires
6. open dashboard again, you'll see error as in screenshot

Expected behavior

I don't think it's possible to refresh openshift token. So we should probably just logout user and redirect to login page.

First we need to fix che-server part #20304 so it returns 401, then Dashboard should better react to 401 response from che-server.

Workaround

Delete _oauth_proxy cookie.

Runtime

OpenShift

Screenshots

Installation method

chectl/next

Environment

other (please specify in additional context)

Eclipse Che Logs

2021-08-09 11:29:53,121[nio-8080-exec-9]  [ERROR] [shiftTokenInitializationFilter 84]   - Unauthorized when getting current user. Invalid OpenShift token, probably expired. Re-login? Re-request the token?
2021-08-09 11:29:53,122[nio-8080-exec-9]  [ERROR] [o.a.c.c.C.[.[.[/api].[default] 175]  - Servlet.service() for servlet [default] in context with path [/api] threw exception
java.lang.RuntimeException: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/user.openshift.io/v1/users/~. Message: Unauthorized! Configured service account doesn't have access. Service account may have been revoked. Unauthorized.
	at org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter.getUserId(OpenshiftTokenInitializationFilter.java:87)
	at org.eclipse.che.multiuser.api.authentication.commons.filter.MultiUserEnvironmentInitializationFilter.doFilter(MultiUserEnvironmentInitializationFilter.java:117)
	at org.eclipse.che.commons.logback.filter.RequestIdLoggerFilter.doFilter(RequestIdLoggerFilter.java:50)
	at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
	at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:194)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:167)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:544)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:143)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
	at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:764)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:364)
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:624)
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:831)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1651)
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.base/java.lang.Thread.run(Unknown Source)
Caused by: io.fabric8.kubernetes.client.KubernetesClientException: Failure executing: GET at: https://172.30.0.1/apis/user.openshift.io/v1/users/~. Message: Unauthorized! Configured service account doesn't have access. Service account may have been revoked. Unauthorized.
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.requestFailure(OperationSupport.java:681)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.assertResponseCode(OperationSupport.java:618)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:560)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleResponse(OperationSupport.java:521)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:488)
	at io.fabric8.kubernetes.client.dsl.base.OperationSupport.handleGet(OperationSupport.java:470)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.handleGet(BaseOperation.java:827)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.getMandatory(BaseOperation.java:197)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:164)
	at io.fabric8.kubernetes.client.dsl.base.BaseOperation.get(BaseOperation.java:88)
	at io.fabric8.openshift.client.DefaultOpenShiftClient.currentUser(DefaultOpenShiftClient.java:663)
	at org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter.getCurrentUser(OpenshiftTokenInitializationFilter.java:113)
	at org.eclipse.che.workspace.infrastructure.openshift.multiuser.oauth.OpenshiftTokenInitializationFilter.getUserId(OpenshiftTokenInitializationFilter.java:81)
	... 23 common frames omitted

Additional context

env: rhpds
first fix che-server issue: #20304

[sleshchenko]

@sparkoo I'm not sure for which component you created this issue(probably for both of Che Server and Dashboard), but I would say Dashboard should get 401 instead of 500, then it can redirect user to the login page.

[sparkoo]

@sparkoo I'm not sure for which component you created this issue(probably for both of Che Server and Dashboard), but I would say Dashboard should get 401 instead of 500, then it can redirect user to the login page.

Looks like several improvements can be done here. I've created first PR on oauth-proxy configuration to set cookie expire after 24hrs eclipse-che/che-operator#1000 (we may need to make it configurable) This will make life easier when you open the dashboard after token has expired. However, the dashboard is still confused when token expires under it's hands, because it's not refreshing the whole page and on sudden, background requests starts to fail (oauth-proxy is trying to redirect to login page and returns 302). Here I would agree with you that che-server should return 401 or 403 so Dashboard can react better (for example with redirect to /oauth/sign_out).

[sparkoo]

@sleshchenko I've created new issue for che-server #20304 and this one will be Dashboard issue.

[che-bot]

Issues go stale after 180 days of inactivity. lifecycle/stale issues rot after an additional 7 days of inactivity and eventually close.

Mark the issue as fresh with /remove-lifecycle stale in a new comment.

If this issue is safe to close now please do so.

Moderators: Add lifecycle/frozen label to avoid stale mode.