Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

multiple auth windows open at once when session expires #162

Open
wasaga opened this issue Nov 4, 2022 · 2 comments
Open

multiple auth windows open at once when session expires #162

wasaga opened this issue Nov 4, 2022 · 2 comments
Labels
backend blocked PR/ISSUE is blocked by third party bug Something isn't working NeedsProposal

Comments

@wasaga
Copy link
Contributor

wasaga commented Nov 4, 2022
edited
Loading

What happened?

image

or, when IdP auth expires

image

  • a client with multiple connection to remote database (single remote TCP route)
  • authentication expired that results in a large amount of windows opening all at once

What did you expect to happen?

single auth for all? (enforce single flight?)
@desimone desimone added bug Something isn't working NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. labels Nov 7, 2022
@desimone desimone mentioned this issue Nov 14, 2022
Closed
@calebdoxsey
Copy link
Collaborator

This is complicated. Routes can have different OIDC IdP credentials, which is why we can't assume that credentials for one TCP route can be used for another. So there's nothing to "single-flight". Each of these routes must initiate a separate login.

@calebdoxsey calebdoxsey added NeedsDiscussion blocked PR/ISSUE is blocked by third party labels Jan 3, 2023
@calebdoxsey
Copy link
Collaborator

Another solution to this problem is to use a service account. With a service account we don't have to open any browser windows, so there won't be 100 opened, it will just use the same service account for all of them.

Theoretically if we had some mechanism of generating short-lived service accounts that required going through the authentication flow, we could issue the service account essentially as a local session for the device.

@pomerium pomerium deleted a comment from calebdoxsey Jan 4, 2023
@desimone desimone removed NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. NeedsDiscussion labels Jan 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
backend blocked PR/ISSUE is blocked by third party bug Something isn't working NeedsProposal
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@calebdoxsey @wasaga @desimone @nhayfield