Probably add time for cookie expiration from IDP. To check that it is sliding.
But probably it is http only
2 Likes
@Olga, thank you for continuing to assist us in what data would be helpful to see to try and get to the root cause.
I can only hope that @jbooker is on to something with the multiple tabs hypothesis.
1 Like
DNS crapped out on me last night so nothing new to report.
Did notice some old orphaned oidc sessionIds in my localStorage. Looks like /RestHelp is the culprit there. Which coinsides with another suspicion that /RestHelp never silently renews properly.
but yeah IdP cookies are probably not accessible via javascript (http-only letâs hope)
Iâll run this again today but I havnât captured a silent refresh failure since increasing the session timeout in IdP. but it is still failing randomly.
2 Likes
Iâm positive we will figure something out if we keep iterating on how to log this and how to work around what we canât log, weâll come up with a proof, especially if we have @Olgaâs help and your level of custom tooling/coding.
Maybe this is just a random page timeout..
@jbooker, your hypothesis is that these other tabs (and their interactions with the token refresh or page timeouts, or whatever) are playing some part in the refresh not happening appropriately, right? In other words, page timeouts, token refreshes, etc. aside, we should not be seeing this error when we are clearly active on another tab. right?
All i know is it seems to silent refresh fine when I walk away. But the problem bites me often when Iâm working, Iâm always working in many tabs, and one tab failure seems to dump them all. Thatâs why I went down the many-tabs rabbit hole. Clean ERP tabs (/Home) are working pretty well so far, so now I wonder if the pattern might be related to other pages like AppStudio, RestHelp, etc. That wouldnât explain all cases of refresh failure cuz itâs definaelty affecting others who never go there, but IDK. Just pulling straws.
2 Likes
I know this thread is ancient, but it doesnât have a solution tag. EpicCare provided me with the video below, and that seems to have resolved the Lifetime Validation Error problem for my users.
In the video, the Access Token Lifetime (seconds) field is set to 32400 (9 hours). Ours was set to 3600 (1 hour). After making the change, I havenât seen the issue at all. I asked my users (who are not shy about sending me issues) to let me know if they are still seeing the error, and I havenât had a single report.
2 Likes
Increasing the access token lifetime would help at the expense of the client having access for longer after their identity account is disabled.
It doesnât really address the root problem of tokens not consistently refreshing silently. Every other website using entra id doesnât have a problem refreshing with the default token lifetimes.
6 Likes
API server checks that account is disabled so it wonât allow access.
But yes, long lived tokens are against the idea.
2 Likes
RESTHelp uses old version of Kinetic UX library and is updated in the next release only. Probably it would be better if you remove it from the testing for now. For example, use another browser for it.
3 Likes
Iâm talking about the identity account. For example if our sysadmins disable a user in entra (but miss disabling in Kinetic), the user would be able to authenticate to Kinetic for as long as the token is valid for.
1 Like
yes, you are right. Needs to be disabled in Kinetic too.
1 Like
Main point is @Olga and everyone else, increasing it doesnât fix the root issue we are investigating. I think we all agree on that, just stating it so if others see @kveâs video they know itâs a workaround and doesnât get to the root cause. Also thanks for dropping that in here @kve
2 Likes
First fail was the AppStudio Designer window. That borks all tabs. Oddly AppStudio refreshes 2 min early rather than the typical ~50secs before expirey.
2 Likes
@jbooker we are getting somewhere, but most the time I am just using normal apps like quote entry, report style, etc.
1 Like
correct. My users all experience failure without going outside regular erp /Home.
2 Likes
Yeah, we gotta figure this out.
I need to try and get up to speed with yâall on this technically and figure out how to log and debug like you guys. I just havenât had the time.
Donât forget that IDP and AAD are different
2 Likes