Konnectd token expiration
-
@fkroeger well the token expiration is controlled by Konnect. You posted the libexec path to the konnect binary and you set that the environment variable is reset. So konnect should be started via it’s startup script - there it also sets the environment variables. And if all is right, the token expiration should become longer accordingly.
-
@longsleep said in Konnectd token expiration:
@fkroeger well the token expiration is controlled by Konnect. You posted the libexec path to the konnect binary and you set that the environment variable is reset. So konnect should be started via it’s startup script - there it also sets the environment variables. And if all is right, the token expiration should become longer accordingly.
Sorry, my previous post was a bit misleading.
I’m not starting kopano-konnect and kopano-kweb directly. They both are started by systemd with their corresponding service files.
The output in my previous post was the output of “ps aux”
Today I updated the server to the newest nightly build but the problem persists.Without digging through the source code, can you tell me how the timeout of kopano-server is determined by kopano-konnect?
-
Hi,
I’ve searched for the access token expiration duration in the source of konnect and found following in bootstrap/kc.go:var sessionTimeoutSeconds uint64 = 300 // 5 Minutes is the default. if sessionTimeoutSecondsString := os.Getenv("KOPANO_SERVER_SESSION_TIMEOUT"); sessionTimeoutSecondsString != "" { var sessionTimeoutSecondsErr error sessionTimeoutSeconds, sessionTimeoutSecondsErr = strconv.ParseUint(sessionTimeoutSecondsString, 10, 64) if sessionTimeoutSecondsErr != nil { return nil, fmt.Errorf("invalid KOPANO_SERVER_SESSION_TIMEOUT value: %v", sessionTimeoutSecondsErr) } } if !useGlobalSession && bs.accessTokenDurationSeconds+60 > sessionTimeoutSeconds { bs.accessTokenDurationSeconds = sessionTimeoutSeconds - 60 bs.cfg.Logger.Warnf("limiting access token duration to %d seconds because of lower KOPANO_SERVER_SESSION_TIMEOUT", bs.accessTokenDurationSeconds) }
This part sets the expiration duration to 240s because KOPANO_SERVER_SESSION_TIMEOUT is null.
I have now set KOPANO_SERVER_SESSION_TIMEOUT in /etc/environment. So it should be set to my desired value of 3600.
Can it be that os.Getenv is not retrieving the value I set in /etc/environment? -
I now added:
environment="KOPANO_SERVER_SESSION_TIMEOUT=3600"
to /lib/systemd/system/kopano-konnect.service
and the warning disappears.
-
Well
/etc/environment
is only relevant for login sessions. Systemd services do not use them. As i linked before, the configuration file (https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.service#L17) is loaded by systemd. If it does contain a value forkc_session_timeout
(see https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.binscript#L172-L181) theKOPANO_SERVER_SESSION_TIMEOUT
variable is set to that value. There should be no need to manually set it in the service file. -
@longsleep said in Konnectd token expiration:
Well
/etc/environment
is only relevant for login sessions. Systemd services do not use them. As i linked before, the configuration file (https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.service#L17) is loaded by systemd. If it does contain a value forkc_session_timeout
(see https://github.com/Kopano-dev/konnect/blob/master/scripts/kopano-konnectd.binscript#L172-L181) theKOPANO_SERVER_SESSION_TIMEOUT
variable is set to that value. There should be no need to manually set it in the service file.I have set kc_session_timeout and access_token_expiration to 3500. This has no effect. After I added KOPANO_SERVER_SESSION_TIMEOUT=3600 to /lib/systemd/system/kopano-konnect.service as environment I now have the default value of 600s as expiration duration.
If I add --access-token-expiration=3500 to ExecStart I get an error on start of konnect stating unkown flag.If I issue:
kopano-konncectd serve --help
I get:
root@groupware:/etc/kopano# kopano-konnectd serve --help Start server and listen for requests Usage: konnectd serve <identity-manager> [...args] [flags] Flags: --allow-client-guests Allow sign in of client controlled guest users --allow-dynamic-client-registration Allow dynamic OAuth2 client registration --allow-scope stringArray Allow OAuth 2 scope (can be used multiple times, if not set default scopes are allowed) --authorization-endpoint-uri string Custom authorization endpoint URI --disable-identifier-client Disable loading the identifier web client --encryption-secret string Full path to a file containing a 32 bytes secret key --endsession-endpoint-uri string Custom endsession endpoint URI -h, --help help for serve --identifier-client-path string Path to the identifier web client base folder (default "./identifier-webapp") (default "./identifier-webapp") --identifier-registration-conf string Path to a identifier-registration.yaml configuration file --identifier-scopes-conf string Path to a scopes.yaml configuration file --insecure Disable TLS certificate and hostname validation --iss string OIDC issuer URL --listen string TCP listen address (default "127.0.0.1:8777") (default "127.0.0.1:8777") --log-level string Log level (one of panic, fatal, error, warn, info or debug) (default "info") --log-timestamp Prefix each log line with timestamp (default true) --metrics-listen string TCP listen address for metrics (default "127.0.0.1:6777") --pprof-listen string TCP listen address for pprof (default "127.0.0.1:6060") --sign-in-uri string Custom redirection URI to sign-in form --signed-out-uri string Custom redirection URI to signed-out goodbye page --signing-kid string Value of kid field to use in created tokens (uniquely identifying the signing-private-key) --signing-method string JWT default signing method (default "PS256") --signing-private-key stringArray Full path to PEM encoded private key file (must match the --signing-method algorithm) --trusted-proxy stringArray Trusted proxy IP or IP network (can be used multiple times) --uri-base-path string Custom base path for URI endpoints --validation-keys-path string Full path to a folder containing PEM encoded private or public key files used for token validaton (file name without extension is used as kid) --with-metrics Enable metrics --with-pprof With pprof enabled
-
@fkroeger said in Konnectd token expiration:
kopano-konncectd serve --help
OK - what version of Konnect is that? It is probably too old to recognize this configuration options. Check with
kopano-konnectd version
.According to the CHANGELOG, the options to configure token expiration have been added with 0.33.0.
## v0.33.0 (2020-04-16) - Allow configuration of expiration of oidc access, id and refresh tokens - Implement trampolin for external OIDC authority end session - Update to latest Alpine release - Update ca-certificates version
Since this is rather new, i guess you have an older version.
-
@longsleep said in Konnectd token expiration:
@fkroeger said in Konnectd token expiration:
kopano-konncectd serve --help
OK - what version of Konnect is that? It is probably too old to recognize this configuration options. Check with
kopano-konnectd version
.According to the CHANGELOG, the options to configure token expiration have been added with 0.33.0.
## v0.33.0 (2020-04-16) - Allow configuration of expiration of oidc access, id and refresh tokens - Implement trampolin for external OIDC authority end session - Update to latest Alpine release - Update ca-certificates version
Since this is rather new, i guess you have an older version.
I’m running version 0.30.0.
Damn. This morning I updated to the newest nightly build, which didn’t change my problem, so I restored the backup I made, because with the newest version kopano-meet wasn’t able to retrieve the contacts.I reinstall the nightly build later and test again.
Thank you for your time. -
@fkroeger said in Konnectd token expiration:
kopano-meet wasn’t able to retrieve the contacts.
I just learned that the current nightly version of kopano-grapi does not start (because of a falsy permission check). Follow up at https://forum.kopano.io/topic/3243/kopano-grapi-won-t-start-since-10-2-0-4-a5080ed-0-28-2-10-3-0-14-16bdb73-0-31-1-update - it might be related since contacts come from grapi and if that is not running …
-
@longsleep said in Konnectd token expiration:
@fkroeger said in Konnectd token expiration:
kopano-meet wasn’t able to retrieve the contacts.
I just learned that the current nightly version of kopano-grapi does not start (because of a falsy permission check). Follow up at https://forum.kopano.io/topic/3243/kopano-grapi-won-t-start-since-10-2-0-4-a5080ed-0-28-2-10-3-0-14-16bdb73-0-31-1-update - it might be related since contacts come from grapi and if that is not running …
Yes, that was it.
I installed the nightly builds from today and ran into the same error you referenced. The workaround did not work. I simply installed an older nightly build of the grapi packages and it works for now.Access token expiration is now 3540s.
You are the man :-)
Since you are located in Germany as myself perhaps we see each other at an event (if my company is willing to pay for me to visit :-)) and I’ll buy you a beer.
Cheers
Frank Kroeger