[BUG] OpenID Token not refreshed

[mueller-tobias]

What is the bug?
We've rolled out a OpenSearch Cluster with the OpenSearch Operator. We connected the dashboard and cluster via openid to a keycloak idp and used it for our login.

The Problem is after a few minutes the user is logged out and has to login again. Not in keycloak, just in opensearch.
In the opensearch pods i see the error that the token is expired. It seems like the Token isn't refreshed through the security plugin. According to the Issue #232 the token refresh is trigged through the dashboard e.g. the security plugin.

I don't see any token refresh request on the keycloak logs. It seems that no one is refreshing the token.

[2023-07-20T08:00:57,870][INFO ][c.a.d.a.h.j.AbstractHTTPJwtAuthenticator] [central-logging-master-0] Extracting JWT token from eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJKQU9SbWpjM1M1Zjh4RHFCWUtjbktNRlo4NDI4YXFSUVdQb0xxX1FPRGJNIn0.eyJleHAiOjE2ODk4Mzk5NDEsImlhdCI6MTY4OTgzOTg4MSwiYXV0aF90aW1lIjoxNjg5ODM0ODU0LCJqdGkiOiIzMGY4NTg1My1kODU2LTRiZTctOWVkOS00MWQ4MzIwZTRkMDUiLCJpc3MiOiJodHRwczovL2tleWNsb2FrLnNlcnZpY2Uua29nbzRpYy5kZS9yZWFsbXMvbWFzdGVyIiwiYXVkIjoib3BlbnNlYXJjaCIsInN1YiI6ImEyMWM1Nzk1LTAyNjUtNDU0Mi1hYmNlLTlkZmJlYzliZjY2ZSIsInR5cCI6IklEIiwiYXpwIjoib3BlbnNlYXJjaCIsInNlc3Npb25fc3RhdGUiOiJlMjhkMzUzNy0wNjM4LTQ1ZTktYjI5Yy05MWNiMmYyYjNlOGQiLCJhdF9oYXNoIjoieWNDbkM3TXNiTE1hOGN6QVJUMnBndyIsImFjciI6IjAiLCJzaWQiOiJlMjhkMzUzNy0wNjM4LTQ1ZTktYjI5Yy05MWNiMmYyYjNlOGQiLCJlbWFpbF92ZXJpZmllZCI6dHJ1ZSwiYWRkcmVzcyI6e30sInJvbGVzIjpbImFkbWluIiwiYWxsX2FjY2VzcyIsImtpYmFuYXVzZXIiXSwibmFtZSI6IlRvYmlhcyBNw7xsbGVyIiwiZ3JvdXBzIjpbIkFyZ29DRC1BZG1pbnMiLCJSYW5jaGVyLUFkbWlucyIsImsxMDphZG1pbnMiXSwicHJlZmVycmVkX3VzZXJuYW1lIjoidG1AZXJpa3N0ZXJjay5kZSIsImdpdmVuX25hbWUiOiJUb2JpYXMiLCJmYW1pbHlfbmFtZSI6Ik3DvGxsZXIiLCJlbWFpbCI6InRtQGVyaWtzdGVyY2suZGUifQ.bYmlY8i7dpR3r89ptW9ZzxNcLAg5HuUWAnAPlXzih2Lxy51C_DyBb5A1FtLpGAGTKuxEwVlGs13MLwZjCiGGAF4zNSxrbrhlaQz3-kNnRRtkcuZimPsvz71kdAv5WdPfNkKBeF2jCR2U8NcjFPF8UpDEkSY2JxxV6331HUiX41NldeBxe7YgjI19F0cESBWU-nt-ZDE-m5h3302lg2DfwW0jHyzVeVbwR_CMvuiuCBnASP3M86xalZuOmFsCOh-w5hj8MpfWXTCpg5YjFBUBikhgNwRWYHddTfDBx0T1LSoRVEqsPJxhxK43b_lw5SwJ52z0bEtpINq63uIYAs9xIA failed
com.amazon.dlic.auth.http.jwt.keybyoidc.BadCredentialsException: The token has expired
	at com.amazon.dlic.auth.http.jwt.keybyoidc.JwtVerifier.getVerifiedJwtToken(JwtVerifier.java:79) ~[opensearch-security-2.7.0.0.jar:2.7.0.0]
	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.extractCredentials0(AbstractHTTPJwtAuthenticator.java:111) [opensearch-security-2.7.0.0.jar:2.7.0.0]
	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator$1.run(AbstractHTTPJwtAuthenticator.java:93) [opensearch-security-2.7.0.0.jar:2.7.0.0]
	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator$1.run(AbstractHTTPJwtAuthenticator.java:90) [opensearch-security-2.7.0.0.jar:2.7.0.0]
	at java.security.AccessController.doPrivileged(AccessController.java:318) [?:?]
	at com.amazon.dlic.auth.http.jwt.AbstractHTTPJwtAuthenticator.extractCredentials(AbstractHTTPJwtAuthenticator.java:90) [opensearch-security-2.7.0.0.jar:2.7.0.0]
	at org.opensearch.security.auth.BackendRegistry.authenticate(BackendRegistry.java:244) [opensearch-security-2.7.0.0.jar:2.7.0.0]
	at org.opensearch.security.filter.SecurityRestFilter.checkAndAuthenticateRequest(SecurityRestFilter.java:191) [opensearch-security-2.7.0.0.jar:2.7.0.0]
	at org.opensearch.security.filter.SecurityRestFilter$1.handleRequest(SecurityRestFilter.java:124) [opensearch-security-2.7.0.0.jar:2.7.0.0]
	at org.opensearch.rest.RestController.dispatchRequest(RestController.java:312) [opensearch-2.7.0.jar:2.7.0]
	at org.opensearch.rest.RestController.tryAllHandlers(RestController.java:398) [opensearch-2.7.0.jar:2.7.0]
	at org.opensearch.rest.RestController.dispatchRequest(RestController.java:241) [opensearch-2.7.0.jar:2.7.0]
	at org.opensearch.security.ssl.http.netty.ValidatingDispatcher.dispatchRequest(ValidatingDispatcher.java:63) [opensearch-security-2.7.0.0.jar:2.7.0.0]
	at org.opensearch.http.AbstractHttpServerTransport.dispatchRequest(AbstractHttpServerTransport.java:366) [opensearch-2.7.0.jar:2.7.0]
	at org.opensearch.http.AbstractHttpServerTransport.handleIncomingRequest(AbstractHttpServerTransport.java:445) [opensearch-2.7.0.jar:2.7.0]
	at org.opensearch.http.AbstractHttpServerTransport.incomingRequest(AbstractHttpServerTransport.java:356) [opensearch-2.7.0.jar:2.7.0]
	at org.opensearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:55) [transport-netty4-client-2.7.0.jar:2.7.0]
	at org.opensearch.http.netty4.Netty4HttpRequestHandler.channelRead0(Netty4HttpRequestHandler.java:41) [transport-netty4-client-2.7.0.jar:2.7.0]
	at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at org.opensearch.http.netty4.Netty4HttpPipeliningHandler.channelRead(Netty4HttpPipeliningHandler.java:71) [transport-netty4-client-2.7.0.jar:2.7.0]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:346) [netty-codec-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:318) [netty-codec-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.timeout.IdleStateHandler.channelRead(IdleStateHandler.java:286) [netty-handler-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:442) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103) [netty-codec-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1383) [netty-handler-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1246) [netty-handler-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1295) [netty-handler-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) [netty-codec-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) [netty-codec-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) [netty-codec-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysPlain(NioEventLoop.java:689) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:652) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [netty-transport-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) [netty-common-4.1.91.Final.jar:4.1.91.Final]
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [netty-common-4.1.91.Final.jar:4.1.91.Final]
	at java.lang.Thread.run(Thread.java:833) [?:?]
Caused by: org.apache.cxf.rs.security.jose.jwt.JwtException: The token has expired
	at org.apache.cxf.rs.security.jose.jwt.JwtUtils.validateJwtExpiry(JwtUtils.java:58) ~[cxf-rt-rs-security-jose-3.5.5.jar:3.5.5]
	at com.amazon.dlic.auth.http.jwt.keybyoidc.JwtVerifier.validateClaims(JwtVerifier.java:113) ~[opensearch-security-2.7.0.0.jar:2.7.0.0]
	at com.amazon.dlic.auth.http.jwt.keybyoidc.JwtVerifier.getVerifiedJwtToken(JwtVerifier.java:75) ~[opensearch-security-2.7.0.0.jar:2.7.0.0]
	... 71 more
[2023-07-20T08:00:57,874][WARN ][o.o.s.a.BackendRegistry  ] [central-logging-master-0] Authentication finally failed for null from 10.42.166.81:56224

How can one reproduce the bug?
Here's our configuration to reproduce the bug:

config.yaml

_meta:
  type: "config"
  config_version: "2"
config:
  dynamic:
    authc:
      basic_internal_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 0
        http_authenticator:
          type: basic
          challenge: false
        authentication_backend:
          type: internal
      openid_auth_domain:
        http_enabled: true
        transport_enabled: true
        order: 1
        http_authenticator:
          type: openid
          challenge: false
          config:
            subject_key: preferred_username
            roles_key: roles
            openid_connect_url: https://mydomain.local/realms/master/.well-known/openid-configuration
            jwt_clock_skew_tolerance_seconds: 10
        authentication_backend:
          type: noop

opensearch_dashboards.yml

opensearch.password: kibanaserver
opensearch.requestHeadersAllowlist: ["Authorization", "security_tenant"]
opensearch.ssl.verificationMode: none
opensearch.username: kibanaserver
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.cookie.ttl: 86400000
opensearch_security.multitenancy.enabled: true
opensearch_security.openid.base_redirect_url: https://opensearch.service.kogo4ic.de/
opensearch_security.openid.client_id: opensearch
opensearch_security.openid.client_secret: REDACTED
opensearch_security.openid.connect_url: https://mydomain.local/realms/master/.well-known/openid-configuration
opensearch_security.openid.extra_storage.additional_cookies: 3
opensearch_security.openid.extra_storage.cookie_prefix: security_authentication_oidc
opensearch_security.openid.refresh_tokens: true
opensearch_security.session.keepalive: true
opensearch_security.session.ttl: 86400000
server.name: central-logging-dashboards
server.ssl.certificate: /usr/share/opensearch-dashboards/certs/tls.crt
server.ssl.enabled: true
server.ssl.key: /usr/share/opensearch-dashboards/certs/tls.key

What is the expected behavior?
A User can login and the session will last 24h

What is your host/environment?

• OS: Kubernetes 1.24
• Version 2.7.0
• Plugins: opensearch-dashboard with security

[stephen-crawford]

[Triage] Hi @TobiasMuellerES, please review this topic discussed on the OpenSearch forum.

[mueller-tobias]

Hi @scrawfor99

thanks for you tipps. i had already reviewd the topic in the forum before i had open the bug. The access token lifetime in keycloak is already 6 minutes and i've added the ...refresh_token: true configuration to the opensearch_dashboards.yml without success.

[wandersonlima]

Same problem here.
Version 2.6.0 works fine, but 2.9.0 throws BadCredentialsException: The token has expired after 5 minutes.

What is your host/environment?

• OS: Kubernetes 1.26
• Version 2.9.0

opensearch_dashboards.yml:

opensearch.ssl.verificationMode: none
opensearch_security.auth.type: ["basicauth","openid"]
opensearch_security.auth.multiple_auth_enabled: true
opensearch_security.openid.client_id: xxxxxxxxxx
opensearch_security.openid.client_secret: xxxxxxxxxx
opensearch_security.openid.base_redirect_url: https://xxxxxxxxxxxxxxxxxx
opensearch_security.openid.connect_url: https://xxxxxxxxx/realms/kubernetes/.well-known/openid-configuration
opensearch_security.openid.scope: openid profile email groups
opensearch_security.openid.verify_hostnames: true
opensearch_security.openid.refresh_tokens: true

[jpelletier412]

@mueller-tobias @wandersonlima Have either of you been able to find a solution for this issue? I too have added in the "refresh_tokens: true" line in opensearch-dashboards.yml and that does not fix the issue of an expireed OpenID access token with Keycloak 21.1.1. I have now witnessed this issue in Opensearch versions 2.7.0, 2.8.0, and 2.9.0. If you are still experiencing this issue, I feel this defect needs to be re-opened and addressed. I have also opened this in the Opensearch Community with the same response of the refresh_tokens solution - https://forum.opensearch.org/t/receiving-error-after-access-token-expires/15412

[mueller-tobias]

@jpelletier412 The issue still persists. Our workaround was to increase the access token lifetime in keycloak for this specific openid client. We're currently evaluating if we we invest more time in opensearch or switch to another solution like grafana loki or back to an ELK stack.

[cwperks]

I replicated the issue locally and received the following error [error][plugins][securityDashboards] Failed to resolve user tenant: Error: Failed authentication: Authentication Exception and looks like this error is somehow related to multi-tenancy. I am re-opening this issue.

Edit: FYI there is a related issue with OpenID where on re-login it does not resume where the user last was. This is being addressed in this PR: #1563

[cwperks]

I believe there is a regression to the OIDC Refresh Token flow introduced in 2.7.0 that was introduced with the cookie splitting feature: #1352

See details in the description on here: #1569

[jpelletier412]

@mueller-tobias Yeah we have had to implement the same workaround for the time being. Thanks for your response.

Thank you @cwperks for doing the investigation on the regression here and opening this issue back up.

[jochen-kressin]

Hi there! Thanks for the feedback regarding the "alternative solution" described in #1569

We're working on a PR and should be able to submit it today.

Then we probably need to follow up with integration tests. For this, I might need some assistance on how to configure the CI so that we can set up a short token expiration in a way that doesn't introduce unnecessary waiting for the token to expire.
Suggestions/ideas very welcome - I'll see what I can figure out in the meantime.

[cwperks]

@jochen-kressin FYI @sebastianmichalski had worked on adding OIDC tests in a different repo here that setup keycloak as part of the tests.

That PR is blocked in that repo since its on Cypress9 and full support for cross-origin testing was not added until Cypress12. The repo is being updated to Cypress12, but before the upgrade can happen all dashboards plugins need to ensure their tests run with Cypress12.

@RyanL1997 is working on adding the cypress tests into this repo directly so that it can be updated independently of other dashboards plugins. Maybe we can use the setup introduced by @sebastianmichalski?

[stephen-crawford]

[Triage] This issue is currently being worked on by @jochen-kressin after discovering a regression in the cookie splitting logic. Going to mark as triaged since this has a clear path forward from Jochen.

[jochen-kressin]

Hi again @cwperks,

so I've done some testing - @sebastianmichalski's script covers pretty much everything in terms of setting up Keycloak 👍

Regarding moving the integration tests to this repository - I'm not really sure where to put them.
I was looking in the main branch, but I can't find any Cypress tests there. The GitHub workflows seem to pull the testing repo and run the tests located there, e.g. https://github.com/opensearch-project/security-dashboards-plugin/blob/main/.github/workflows/cypress-test-tenancy-disabled.yml#L73

After looking around in @RyanL1997 repositories, it looks like you will add cypress/e2e/ to the plugin's root folder, but maybe you could point me in the right direction?

[cwperks]

@jochen-kressin It may be worthwhile to look at dashboards-observability.

They are one repo that I know of that has functional tests in their repo so that they don't have to wait for the function test repo to upgrade cypress.

[jochen-kressin]

@cwperks Sorry for the late reply on this. So I compared the approach from dashboards-observability with a couple of other workflows I was able to find, including @RyanL1997's #1579

At the end of the day, in order to avoid duplicate work I think it makes sense that I pause the "GitHub-Workflow" side of the integration tests, and instead wait for Ryan's PR to be merged.
At least in the current state of his PR, he's already got Keycloak covered - and that's pretty much all that the integration test(s) for this OIDC regression would need (as long as the token lifespan is short, which it is by default: 60s).

Just ping me if you have any objections, otherwise I'll monitor the PR mentioned above and then submit the tests when it is done (or as a draft earlier perhaps).

[cwperks]

@jochen-kressin Sounds good to me. Thank you for working with @RyanL1997 on the setup of Cypress12/13 in this repo.

I'd be in favor of merging the fix for OIDC refresh tokens for 2.11 and add functional tests with Cypress12 soon thereafter.

@DarshitChanpura @peternied @scrawfor99 @RyanL1997 What do you think about merging #1580 after CI has been fixed reacting to the default admin pw change and following that PR with one afterwards with functional tests for the change when #1579 is complete?