Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Audit #1 – General Overview when logged in – Page redirect/refresh happens periodically due to Oauth2 (?) #4336

Closed
marcus-herrmann opened this issue Nov 18, 2020 · 5 comments

Comments

@marcus-herrmann
Copy link
Contributor

Connected to Audit 1, see #4300
1.2 General Overview when logged in, URL: https://ocis-a11y.owncloud.works/#/files/list

Issue

After either some form of inactivity or in a regular interval the app redirects to get new OAuth2 tokens, as far as I understand. While I see the neccessity I'm afraid this is a violation of WCAG 2.2.1/BITV 2.2.1a, since it gives no warning, is cancellable, adaptable or longer than 20 hours (I'm not kidding – this is literally in the WCAG): https://www.w3.org/TR/UNDERSTANDING-WCAG20/time-limits-required-behaviors.html

Remediation

Remove the redirect, add a warning, make itcancellable, adaptable or the interval between automatic redirects longer than 20 hours

@LukasHirt
Copy link
Collaborator

@marcus-herrmann Could you pls provide more info regarding this issue? As we already discussed, this shouldn't be happening so it is probably a bug. Do you remember what page where you currently in, if you landed back in the same page afterwards, etc. There should be happening a silent token refresh in the background so the user shouldn't even know about it (unless he doesn't open a console and see the console log about it). This issue was happening with oauth2 but with OIDC (on the tested instance it was konnectd) it shouldn't be happening.

@marcus-herrmann
Copy link
Contributor Author

marcus-herrmann commented Nov 25, 2020

@LukasHirt Worked with a stopwatch and screen recording this time:

10min after logging in and doing nothing the following happens:

https://www.youtube.com/watch?v=MH3Qp_gsGsk&feature=youtu.be

I'm redirected exactly to where I was at that moment. In the video, it's file/list, but I remember it to "memorize the current URL/route" last time I stumbled over it.

This behaviour is not connected to the idle state, but I wanted to try today whether I cause it with any interaction, since this effect appeared last Wednesday while auditing (interacting with UI, inspecting UI).

Chrome 85/Mac.

I had the same window open in Firefox 83 for 30min, but saw no redirect there.

@kulmann
Copy link
Contributor

kulmann commented Nov 25, 2020

@marcus-herrmann thank you for taking the time to reproduce this. You found a bug 🎉 Like Lukas explained, it's not supposed to do have a redirect for token refresh, that should actually happen in the background. We'll look into it... thanks for spotting this!

@marcus-herrmann
Copy link
Contributor Author

@kulmann Happy to help! :)

@pascalwengerter
Copy link
Contributor

The general redirect/refresh should have been resolved by now, thanks for the cooperation and please open a new ticket if more issues arise!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants