From 9169ef89d967369b4f009dcb2ca97f758b3bd990 Mon Sep 17 00:00:00 2001 From: Sunil Mohan Adapa Date: Wed, 18 Mar 2026 12:35:42 -0700 Subject: [PATCH] apache: Increase OpenID Connect RP session timeout activity Tests: - Without patch, open FeatherWiki wiki and save after 5 minutes. Save fails. - Apply the patch, Apache app setup is run and mod_auth_openidc configuration is updated. Open FeatherWiki wiki and save after 5 minutes. Save works, wiki contents are saved. Signed-off-by: Sunil Mohan Adapa Reviewed-by: Joseph Nuthalapati --- plinth/modules/apache/__init__.py | 2 +- plinth/modules/apache/privileged.py | 31 +++++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/plinth/modules/apache/__init__.py b/plinth/modules/apache/__init__.py index 62dd6cc3c..d6268b9a3 100644 --- a/plinth/modules/apache/__init__.py +++ b/plinth/modules/apache/__init__.py @@ -86,7 +86,7 @@ class ApacheApp(app_module.App): app_id = 'apache' - _version = 16 + _version = 17 def __init__(self) -> None: """Create components for the app.""" diff --git a/plinth/modules/apache/privileged.py b/plinth/modules/apache/privileged.py index de46375f4..e9df3135e 100644 --- a/plinth/modules/apache/privileged.py +++ b/plinth/modules/apache/privileged.py @@ -237,6 +237,30 @@ def _setup_oidc_config(): Keep the metadata directory and configuration file unreadable by non-admin users since they contain module's crypto secret and OIDC client secret. + + # Session management + + When apps like Syncthing are protected with mod_auth_openidc, there a + session maintained using server-side session storage and a cookie on the + client side. This session is different from the session managed by the + OpenID Connect Provider (FreedomBox web interface). As long as this session + is valid, no further authentication mechanisms are triggered. + + When the session expires, if the request is a GET request (due to page + reload), the browser is redirected to OP, a fresh token is created, and the + page is loaded. However, for POST requests, 401 error is returned and if + the application is unaware, it won't do much about it. So, this + necessitates keeping the session timeout value high. + + When logout is performed on FreedomBox web interface, mod_auth_openidc + cookie is also removed and logout feels instantaneous. However, this won't + work for applications not using mod_auth_openidc and for applications + hosted on other domains. A better way to do this is to implement OpenID + Connect's Back-Channel Logout or using OpenID Connect Session Management. + + For more about session management see: + https://github.com/OpenIDC/mod_auth_openidc/wiki/Sessions-and-Timeouts and + https://github.com/OpenIDC/mod_auth_openidc/wiki/Session-Management-Settings """ metadata_dir_path.parent.mkdir(mode=0o700, parents=True, exist_ok=True) metadata_dir_path.mkdir(mode=0o700, exist_ok=True) @@ -259,6 +283,13 @@ def _setup_oidc_config(): OIDCSSLValidateServer Off OIDCProviderMetadataRefreshInterval 86400 + # Expire the mod_auth_openidc session (not the OpenID Conneect Provider + # session) after 10 hours of idle with a maximum session duration equal to + # the expiry time of the ID token (10 hours). This allows applications such + # as FeatherWiki to have long editing sessions before save. + OIDCSessionInactivityTimeout 36000 + OIDCSessionMaxDuration 0 + # Use relative URL to return to the original domain OIDCRedirectURI /apache/oidc/callback OIDCRemoteUserClaim sub