How to handle session expiration in already loaded app?

What happened?

Hello,
We are using Pomerium v0.19. Our auth provider is MS Azure. The session length is setup to 1h. We are running Pomerium in k8s and using Traefik.
We have an application opened in browser and we have issue which I can not solve or find information on how it should be handeled. When session expires, every http request fails with:

identity/oidc: user info endpoint: 401 Unauthorized: {"error":{"code":"InvalidAuthenticationToken","innerError":{"client-request-id":"d12dfb81-b326-4e77-aef9-d80730990670","date":"2023-07-23T03:59:10","request-id":"d12dfb81-b326-4e77-aef9-d80730990670"},"message":"Access token has expired or is not yet valid."}}
But I am expecting the page will be redirected to login page.
If to refresh the page, there is an error “not internet connection” which is weird. If to close and open page again, normal logging appears and everything works as expected.

What did you expect to happen?

When sessions expires, user is redirected to login.

I believe this is casual usecase which I just can’t find information about.
Would be amazing if somebody point the direction how to do this right.

1. please provide configuration and full set of logs that are relevant to the issue, including access and authorization logs.
2. please advise whether you have a max session duration set on Azure side or for Pomerium session cookie?

It would also help if you could try it without Traefik using latest official Pomerium version for Kubernetes, and see if the problem is reproducible there.

Hello,

          extraEnv:
            IDP_REFRESH_DIRECTORY_INTERVAL: "60m"
            IDP_REFRESH_DIRECTORY_TIMEOUT: "59m"
            JWT_CLAIMS_HEADERS: "email"
            COOKIE_NAME: "_pomerium_ad"

            # Debug keys
            POMERIUM_DEBUG: "true"
            LOG_LEVEL: "debug"
            PROXY_LOG_LEVEL: "debug"

As I said, “Access token has expired or is not yet valid” in 1 hour is ok. The question is, what is the best practice to handle this in application. Should application somehow check if session is still valid? What to do if session is not valid anymore, just page refresh?

Your application should receive HTTP 401 with Location header set for re-authentication. The browser normally handles that, which is why I asked for logs given that you say you do not observe the automatic redirect behaviour.

The only case where an application has to be aware and handle such a response, are XHR requests that are common in single page application, as browser would not do a page redirect then. Your application should process such response in fetch handler and cause a reload in the main document window, which would cause the main page URL be re-validated with Pomerium, that would result in a browser redirect to authenticate, a new session cookie, etc.

This make sense.
My app receives 302 instead of 401. In Pomerium I see 401. This can be explained by traefik, which “converts” 401 to 302.
Probably, the approach is the same as you described:

image1842×799 60.8 KB

@denis My appologies for offtopic.
Could you show the content of the following ticket:
https://github.com/pomerium/internal/issues/1207

We are struggling with Pomerium auth performance and I think it could be related to the bug when invalid sessions were not deleted from db. But since I don’t see internal ticket, I can’t be sure this is our case.

Hello, 1207 should be irrelevant.

We are struggling with Pomerium auth performance

Could you please elaborate? You may enable tracing in Pomerium to see timings for various ops.

@denis I did and I see pomerium is spending 2-4s (databroker) for auth. But I don’t know why. Logs does not show a lot.

1. please post traces here so that we understand specifically where time is being spent.
2. Please try the official current distribution for Kubernetes - it is optimized and has way less moving parts compared to your current deployment.