-
Notifications
You must be signed in to change notification settings - Fork 155
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit #1 – General Overview when logged in – Page redirect/refresh happens periodically due to Oauth2 (?) #4336
Comments
@marcus-herrmann Could you pls provide more info regarding this issue? As we already discussed, this shouldn't be happening so it is probably a bug. Do you remember what page where you currently in, if you landed back in the same page afterwards, etc. There should be happening a silent token refresh in the background so the user shouldn't even know about it (unless he doesn't open a console and see the console log about it). This issue was happening with oauth2 but with OIDC (on the tested instance it was konnectd) it shouldn't be happening. |
@LukasHirt Worked with a stopwatch and screen recording this time: 10min after logging in and doing nothing the following happens: https://www.youtube.com/watch?v=MH3Qp_gsGsk&feature=youtu.be I'm redirected exactly to where I was at that moment. In the video, it's file/list, but I remember it to "memorize the current URL/route" last time I stumbled over it. This behaviour is not connected to the idle state, but I wanted to try today whether I cause it with any interaction, since this effect appeared last Wednesday while auditing (interacting with UI, inspecting UI). Chrome 85/Mac. I had the same window open in Firefox 83 for 30min, but saw no redirect there. |
@marcus-herrmann thank you for taking the time to reproduce this. You found a bug 🎉 Like Lukas explained, it's not supposed to do have a redirect for token refresh, that should actually happen in the background. We'll look into it... thanks for spotting this! |
@kulmann Happy to help! :) |
The general redirect/refresh should have been resolved by now, thanks for the cooperation and please open a new ticket if more issues arise! |
Connected to Audit 1, see #4300
1.2 General Overview when logged in, URL: https://ocis-a11y.owncloud.works/#/files/list
Issue
After either some form of inactivity or in a regular interval the app redirects to get new OAuth2 tokens, as far as I understand. While I see the neccessity I'm afraid this is a violation of WCAG 2.2.1/BITV 2.2.1a, since it gives no warning, is cancellable, adaptable or longer than 20 hours (I'm not kidding – this is literally in the WCAG): https://www.w3.org/TR/UNDERSTANDING-WCAG20/time-limits-required-behaviors.html
Remediation
Remove the redirect, add a warning, make itcancellable, adaptable or the interval between automatic redirects longer than 20 hours
The text was updated successfully, but these errors were encountered: