Konnectd token expiration

longsleep

Hi,

you need to set access_token_expiration as well. Setting the kc_session_timeout just has effect on the kc backend session and as upper limit for the configured access_token_expiration.

I see that the access_token_expiration value is not present in the cfg example - i guess if it were in there you would have found it?

From the serve --help

      --access-token-expiration uint          Expiration time of access tokens in seconds since generated (default 600)

It is a bit strange that you say the expiration is still 240 when you have set kc_session_timeout - since the Konnect default is 600, it should have become 600. Konnect logs a warning like WARN[0000] limiting access token duration to 240 seconds because of lower KOPANO_SERVER_SESSION_TIMEOUT if the access token duration gets limited.

I quickly checked, and it seems to work fine here.

fkroeger

Hi,
thanks for the reply.

@longsleep said in Konnectd token expiration:

Hi,

you need to set access_token_expiration as well. Setting the kc_session_timeout just has effect on the kc backend session and as upper limit for the configured access_token_expiration.

I see that the access_token_expiration value is not present in the cfg example - i guess if it were in there you would have found it?

Yes, I grepped for access_token.
I have added “access_token_expiration=3600” to konnectd.cfg. Still no luck :-(

I get following warning message:

groupware kopano-konnectd[3729]: level=warning msg="limiting access token duration to 240 seconds because of lower KOPANO_SERVER_SESSION_TIMEOUT"```

It is a bit strange that you say the expiration is still 240 when you have set kc_session_timeout - since the Konnect default is 600, it should have become 600. Konnect logs a warning like WARN[0000] limiting access token duration to 240 seconds because of lower KOPANO_SERVER_SESSION_TIMEOUT if the access token duration gets limited.

I quickly checked, and it seems to work fine here.

So somehow the value of session_timeout in server.cfg seems to get ignored. If I export KOPANO_SERVER_SESSION_TIMEOUT=3600 it gets cleared at the restart of konnectd.

longsleep

@fkroeger said in Konnectd token expiration:

So somehow the value of session_timeout in server.cfg seems to get ignored. If I export KOPANO_SERVER_SESSION_TIMEOUT=3600 it gets cleared at the restart of konnectd.

Strange, how do you run Konnect? The KOPANO_SERVER_SESSION_TIMEOUT is set in the bin script (https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.binscript#L179) - at the moment i do not see how this could go wrong.

fkroeger

@longsleep said in Konnectd token expiration:

@fkroeger said in Konnectd token expiration:

So somehow the value of session_timeout in server.cfg seems to get ignored. If I export KOPANO_SERVER_SESSION_TIMEOUT=3600 it gets cleared at the restart of konnectd.

Strange, how do you run Konnect? The KOPANO_SERVER_SESSION_TIMEOUT is set in the bin script (https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.binscript#L179) - at the moment i do not see how this could go wrong.

The server is running kweb and apache as legacy reverse proxy.
kweb:

/usr/libexec/kopano/kwebd serve --host=kopanoxx.xxx.de --email=xxx@xxx.de --agree --default-redirect=/webapp --reverse-proxy-legacy-http=127.0.0.1:7080 --root=/usr/share/kopano-kweb/www --http-port=80 --https-port=443```

konnectd:

/usr/libexec/kopano/konnectd serve --identifier-client-path=/usr/share/kopano-konnect/identifier-webapp --identifier-registration-conf=/etc/kopano/konnectd-identifier-registration.yaml --iss=https://kopanoxx.xxx.de --log-timestamp=false --log-level=debug --identifier-scopes-conf=/etc/kopano/konnectd-identifier-scopes.yaml --signing-private-key=/etc/kopano/konnectd-signing-private-key.pem --validation-keys-path=/etc/kopano/konnectkeys --encryption-secret=/etc/kopano/konnectd-encryption-secret.key --allow-client-guests --allow-dynamic-client-registration kc

fkroeger

This is the output of kopano-server --dump-config:

# abtable_initially_empty = no
# allocator_library = libtcmalloc_minimal.so.4
# allow_local_users = yes
attachment_compression = 6
# attachment_files_fsync = yes
attachment_path = /var/lib/kopano/attachments
# attachment_s3_accesskeyid =
# attachment_s3_bucketname =
# attachment_s3_hostname =
# attachment_s3_protocol = https
# attachment_s3_region =
# attachment_s3_secretaccesskey =
# attachment_s3_uristyle = virtualhost
attachment_storage = files
# audit_log_enabled = no
# audit_log_file = -
# audit_log_level = 1
# audit_log_method = syslog
# audit_log_timestamp = 0
# auth_method = plugin
# cache_acl_size = 1048576
# cache_cell_size = 0
# cache_cellcache_reads = yes
# cache_indexedobject_size = 0
# cache_object_size = 0
# cache_quota_lifetime = 1
# cache_quota_size = 0
# cache_server_lifetime = 30
# cache_server_size = 1048576
# cache_store_size = 1048576
# cache_user_size = 1048576
# cache_userdetails_lifetime = 0
# cache_userdetails_size = 0
# companyquota_warn = 0
# coredump_enabled = yes
createcompany_script = /usr/lib/kopano/userscripts/createcompany
# creategroup_script = /usr/lib/kopano/userscripts/creategroup
# createuser_script = /usr/lib/kopano/userscripts/createuser
database_engine = mysql
# default_sort_locale_id = en_US
deletecompany_script = /usr/lib/kopano/userscripts/deletecompany
# deletegroup_script = /usr/lib/kopano/userscripts/deletegroup
# deleteuser_script = /usr/lib/kopano/userscripts/deleteuser
# disabled_features = imap pop3
# embedded_attachment_limit = 20
# enable_distributed_kopano = false
# enable_enhanced_ics = yes
enable_gab = yes
enable_hosted_kopano = yes
# enable_sql_procedures = no
enable_sso = yes
# enable_test_protocol = no
# folder_max_items = 1000000
hide_everyone = yes
hide_system = yes
# kcoidc_initialize_timeout = 60
# kcoidc_insecure_skip_verify = no
kcoidc_issuer_identifier = https://kopanoxx.xxx.de
local_admin_users = root kopano administrator
# log_buffer_size = 0
log_file = /var/log/kopano/server.log
log_level = 6
log_method = file
log_timestamp = yes
loginname_format = %u@%c
# max_deferred_records = 0
# max_deferred_records_folder = 20
mysql_database = kopano
# mysql_engine = InnoDB
# mysql_group_concat_max_len = 21844
mysql_host = localhost
mysql_password = XXXXXXX
mysql_port = 3306
# mysql_socket =
mysql_user = kopano
# owner_auto_full_access = true
# pam_service = passwd
# pid_file = /var/run/kopano/server.pid
# proxy_header =
# quota_hard = 0
# quota_soft = 0
# quota_warn = 0
# request_log_file = -
# request_log_method = off
# restrict_admin_permissions = no
run_as_group = kopano
run_as_user = kopano
search_enabled = yes
# search_socket = file:///var/run/kopano/search.sock
# search_timeout = 10
# server_hostname =
server_listen = *%lo:236
# server_listen_tls =
# server_name =
# server_pipe_enabled = yes
# server_pipe_name = /var/run/kopano/server.sock
# server_pipe_priority = /var/run/kopano/prio.sock
server_read_timeout = 3600
server_recv_timeout = 3600
server_send_timeout = 3600
# server_ssl_ca_file = /etc/kopano/ssl/cacert.pem
# server_ssl_ca_path =
# server_ssl_ciphers = DEFAULT:!LOW:!SSLv2:!SSLv3:!TLSv1.0:!TLSv1.1:!EXPORT:!DH:!PSK:!kRSA:!aDSS:!aNULL:+AES
# server_ssl_curves = X25519:P-521:P-384:P-256
# server_ssl_key_file = /etc/kopano/ssl/server.pem
# server_ssl_key_pass = server
# server_ssl_prefer_server_ciphers = yes
# server_tls_min_proto = tls1.2
# session_ip_check = yes
session_timeout = 3600
# shared_reminders = yes
# softdelete_lifetime = 30
# sslkeys_path = /etc/kopano/sslkeys
# statsclient_interval = 0
# statsclient_ssl_verify = yes
# statsclient_url = unix:/var/run/kopano/statsd.sock
storename_format = %f (%c)
# surveyclient_interval = 3600
# surveyclient_ssl_verify = yes
# surveyclient_url = https://stats.kopano.io/api/stats/v1/submit
sync_gab_realtime = yes
# sync_lifetime = 90
# system_email_address = postmaster@localhost
# thread_limit = 40
# threads = 8
# tmp_path = /tmp
user_plugin = db
# user_plugin_config = /etc/kopano/ldap.cfg
# user_safe_mode = no
# watchdog_frequency = 1
# watchdog_max_age = 500

longsleep

@fkroeger well the token expiration is controlled by Konnect. You posted the libexec path to the konnect binary and you set that the environment variable is reset. So konnect should be started via it’s startup script - there it also sets the environment variables. And if all is right, the token expiration should become longer accordingly.

fkroeger

@longsleep said in Konnectd token expiration:

@fkroeger well the token expiration is controlled by Konnect. You posted the libexec path to the konnect binary and you set that the environment variable is reset. So konnect should be started via it’s startup script - there it also sets the environment variables. And if all is right, the token expiration should become longer accordingly.

Sorry, my previous post was a bit misleading.
I’m not starting kopano-konnect and kopano-kweb directly. They both are started by systemd with their corresponding service files.
The output in my previous post was the output of “ps aux”
Today I updated the server to the newest nightly build but the problem persists.

Without digging through the source code, can you tell me how the timeout of kopano-server is determined by kopano-konnect?

fkroeger

Hi,
I’ve searched for the access token expiration duration in the source of konnect and found following in bootstrap/kc.go:

        var sessionTimeoutSeconds uint64 = 300 // 5 Minutes is the default.
        if sessionTimeoutSecondsString := os.Getenv("KOPANO_SERVER_SESSION_TIMEOUT"); sessionTimeoutSecondsString != "" {
                var sessionTimeoutSecondsErr error
                sessionTimeoutSeconds, sessionTimeoutSecondsErr = strconv.ParseUint(sessionTimeoutSecondsString, 10, 64)
                if sessionTimeoutSecondsErr != nil {
                        return nil, fmt.Errorf("invalid KOPANO_SERVER_SESSION_TIMEOUT value: %v", sessionTimeoutSecondsErr)
                }
        }
        if !useGlobalSession && bs.accessTokenDurationSeconds+60 > sessionTimeoutSeconds {
                bs.accessTokenDurationSeconds = sessionTimeoutSeconds - 60
                bs.cfg.Logger.Warnf("limiting access token duration to %d seconds because of lower KOPANO_SERVER_SESSION_TIMEOUT", bs.accessTokenDurationSeconds)
        }
 

This part sets the expiration duration to 240s because KOPANO_SERVER_SESSION_TIMEOUT is null.
I have now set KOPANO_SERVER_SESSION_TIMEOUT in /etc/environment. So it should be set to my desired value of 3600.
Can it be that os.Getenv is not retrieving the value I set in /etc/environment?

fkroeger

I now added:

environment="KOPANO_SERVER_SESSION_TIMEOUT=3600"

to /lib/systemd/system/kopano-konnect.service

and the warning disappears.

longsleep

Well /etc/environment is only relevant for login sessions. Systemd services do not use them. As i linked before, the configuration file (https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.service#L17) is loaded by systemd. If it does contain a value for kc_session_timeout (see https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.binscript#L172-L181) the KOPANO_SERVER_SESSION_TIMEOUT variable is set to that value. There should be no need to manually set it in the service file.

fkroeger

@longsleep said in Konnectd token expiration:

Well /etc/environment is only relevant for login sessions. Systemd services do not use them. As i linked before, the configuration file (https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.service#L17) is loaded by systemd. If it does contain a value for kc_session_timeout (see https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.binscript#L172-L181) the KOPANO_SERVER_SESSION_TIMEOUT variable is set to that value. There should be no need to manually set it in the service file.

I have set kc_session_timeout and access_token_expiration to 3500. This has no effect. After I added KOPANO_SERVER_SESSION_TIMEOUT=3600 to /lib/systemd/system/kopano-konnect.service as environment I now have the default value of 600s as expiration duration.
If I add --access-token-expiration=3500 to ExecStart I get an error on start of konnect stating unkown flag.

If I issue:

kopano-konncectd serve --help

I get:

root@groupware:/etc/kopano# kopano-konnectd serve --help
Start server and listen for requests

Usage:
  konnectd serve <identity-manager> [...args] [flags]

Flags:
      --allow-client-guests                   Allow sign in of client controlled guest users
      --allow-dynamic-client-registration     Allow dynamic OAuth2 client registration
      --allow-scope stringArray               Allow OAuth 2 scope (can be used multiple times, if not set default scopes are allowed)
      --authorization-endpoint-uri string     Custom authorization endpoint URI
      --disable-identifier-client             Disable loading the identifier web client
      --encryption-secret string              Full path to a file containing a 32 bytes secret key
      --endsession-endpoint-uri string        Custom endsession endpoint URI
  -h, --help                                  help for serve
      --identifier-client-path string         Path to the identifier web client base folder (default "./identifier-webapp") (default "./identifier-webapp")
      --identifier-registration-conf string   Path to a identifier-registration.yaml configuration file
      --identifier-scopes-conf string         Path to a scopes.yaml configuration file
      --insecure                              Disable TLS certificate and hostname validation
      --iss string                            OIDC issuer URL
      --listen string                         TCP listen address (default "127.0.0.1:8777") (default "127.0.0.1:8777")
      --log-level string                      Log level (one of panic, fatal, error, warn, info or debug) (default "info")
      --log-timestamp                         Prefix each log line with timestamp (default true)
      --metrics-listen string                 TCP listen address for metrics (default "127.0.0.1:6777")
      --pprof-listen string                   TCP listen address for pprof (default "127.0.0.1:6060")
      --sign-in-uri string                    Custom redirection URI to sign-in form
      --signed-out-uri string                 Custom redirection URI to signed-out goodbye page
      --signing-kid string                    Value of kid field to use in created tokens (uniquely identifying the signing-private-key)
      --signing-method string                 JWT default signing method (default "PS256")
      --signing-private-key stringArray       Full path to PEM encoded private key file (must match the --signing-method algorithm)
      --trusted-proxy stringArray             Trusted proxy IP or IP network (can be used multiple times)
      --uri-base-path string                  Custom base path for URI endpoints
      --validation-keys-path string           Full path to a folder containing PEM encoded private or public key files used for token validaton (file name without extension is used as kid)
      --with-metrics                          Enable metrics
      --with-pprof                            With pprof enabled

longsleep

@fkroeger said in Konnectd token expiration:

kopano-konncectd serve --help

OK - what version of Konnect is that? It is probably too old to recognize this configuration options. Check with kopano-konnectd version.

According to the CHANGELOG, the options to configure token expiration have been added with 0.33.0.

## v0.33.0 (2020-04-16)

- Allow configuration of expiration of oidc access, id and refresh tokens
- Implement trampolin for external OIDC authority end session
- Update to latest Alpine release
- Update ca-certificates version

Since this is rather new, i guess you have an older version.

fkroeger

@longsleep said in Konnectd token expiration:

@fkroeger said in Konnectd token expiration:

kopano-konncectd serve --help

OK - what version of Konnect is that? It is probably too old to recognize this configuration options. Check with kopano-konnectd version.

According to the CHANGELOG, the options to configure token expiration have been added with 0.33.0.

## v0.33.0 (2020-04-16)

- Allow configuration of expiration of oidc access, id and refresh tokens
- Implement trampolin for external OIDC authority end session
- Update to latest Alpine release
- Update ca-certificates version

Since this is rather new, i guess you have an older version.

I’m running version 0.30.0.
Damn. This morning I updated to the newest nightly build, which didn’t change my problem, so I restored the backup I made, because with the newest version kopano-meet wasn’t able to retrieve the contacts.

I reinstall the nightly build later and test again.
Thank you for your time.

longsleep

@fkroeger said in Konnectd token expiration:

kopano-meet wasn’t able to retrieve the contacts.

I just learned that the current nightly version of kopano-grapi does not start (because of a falsy permission check). Follow up at https://forum.kopano.io/topic/3243/kopano-grapi-won-t-start-since-10-2-0-4-a5080ed-0-28-2-10-3-0-14-16bdb73-0-31-1-update - it might be related since contacts come from grapi and if that is not running …

fkroeger

@longsleep said in Konnectd token expiration:

@fkroeger said in Konnectd token expiration:

kopano-meet wasn’t able to retrieve the contacts.

I just learned that the current nightly version of kopano-grapi does not start (because of a falsy permission check). Follow up at https://forum.kopano.io/topic/3243/kopano-grapi-won-t-start-since-10-2-0-4-a5080ed-0-28-2-10-3-0-14-16bdb73-0-31-1-update - it might be related since contacts come from grapi and if that is not running …

Yes, that was it.
I installed the nightly builds from today and ran into the same error you referenced. The workaround did not work. I simply installed an older nightly build of the grapi packages and it works for now.

Access token expiration is now 3540s.

You are the man :-)

Since you are located in Germany as myself perhaps we see each other at an event (if my company is willing to pay for me to visit :-)) and I’ll buy you a beer.
Cheers
Frank Kroeger