Quick question. Out of curiosity, is the Ziti Admin Console supposed to lock and go back to the initial login screen (shown below) after it hits the inactivity threshold?
So far, I only get the 'true' login screen when navigating directly there or after clearing cache.
When the console locks after inactivity, what I get instead is the following - a login prompt overtop of the console window that is being navigated to. (And it still shows the stale page that was left open when the session hit its inactivity limit before you try to navigate.)
Is this a bug or incompatibility with something in the web browser? Is there a way to configure the Ziti Admin Console to go back to the 'top-level' login page when a session is locked/terminated due to inactivity? If not, that would be a great minor feature to put in an update to help with more generic security by obfuscating the session when it technically locks.
Just want to confirm what you're seeing and what the "ask" is for this feature/fix:
You're a user who had an active session in ZAC at some point, but is now expired
You attempted some action on in the console but then got prompted to re-auth when the controller returned a 401 unauthorized response
ZAC shows you a modal/overlay leaving and previous session content still visible on the page
Instead you would like to just return to the full page login (in the first screenshot) and then after a successful re-auth, return to the page in the console you were before the session expiration
If the above is accurate, I think that should be a fair/feasible change we can accommodate. I will open a ticket in the ziti-console project to track and prioritize.
Yes. You are correct. The one nuance is that, between your bullet points 1 and 2 is the fact that, prior to taking some action in the console which results in the 401 response, the page in the console that was left open when the user stopped interacting with the session (what was left open at the time the session expired per your bullet point 1), seems to remain displayed until an action is attempted (your bullet point 2). I did not capture a screenshot of this to show it, but I left the session to expire while sitting on the dashboard and that kept showing. It was not until I took the action of navigating to the Authentication window (shown in my second screenshot) that the 401 error prompted for re-authentication. (Your bullet point 3 is still accurate but with the clarification that it shows the page the action was navigating to but without any data loaded.)
Ideally, your 4th bullet point is what I would like to see but with the specific clarification of the Ziti Console basically 'kicking you out' when the session inactivity threshold hits in that bullet point 1.5 that I described rather and waiting for an action to be attempted after the session has expired due to inactivity. Basically 'oops, you just expired; get out' vs 'oh hey, you just attempted something but this session is expired and you're not authorized, lets go back to the login screen now'.
I think we're on the same page, but I just want to be careful that I was clear in communicating how the stale session behaves (still technically exposing data within the console) prior to an action being attempted that causes the 401 response.
For example, here is the dashboard still showing information even though the session is definitely expired (leftover from yesterday). Upon clicking anything, it then goes to the Session Expired message previously shown.
Following up on this: After some discussions, the plan is to use the new OIDC login capability of the controller, and use refresh tokens to keep the sessions alive if possible. If those refresh tokens also expire, then the default will be to do the behavior that you described above. Ie. The Ziti Console 'kicking you out' when the session inactivity threshold hits, instead of waiting for the user to interact.
So it does sound like we are on the same page regarding the desired behavior. Thanks for clarifying!
@bvh The latest ZAC release (v4.3.0) should now have these login/session-expiration changes we've discussed. Feel free to give these changes a try whenever you get a chance and let us know if you have any other issues. Thanks!
