Preventing OAuth/OIDC authentication timeout errors

Synchronize the session timeout and OAuth/OIDC token timeout to prevent early logouts and authentication errors.

About this task

The Identity Provider (IdP) that creates and manages the authentication token for the user has a timeout value for the token. The token contains this expiration time and is valid only within this time. The tokens are used for authentication so that any server that receives the token can verify that the token is valid before proceeding. If the timeout of the token is exceeded, the token is no longer usable and the user must refresh the token by logging in again.

When the defined amount of time passes, all user tokens expire regardless of session activity. Synchronize the session timeout and the OAuth/OIDC token timeout to prevent early logouts. The token timeout must be equal to or greater than the session timeout. The session timeout is configured through the application server and the default is 30 minutes. The OAuth/OIDC token timeout is configured by the IdP provider for the client application that is used for the Content Cortex system. Refer to the IdP documentation for the default setting and instructions for changing the token timeout.

The default IBM® Content Navigator session timeout value is 30 minutes. You can change this value to a longer duration.

Procedure

Choose the appropriate procedure based on your deployment environment.

  1. For IBM Content Navigator container deployments, override the session timeout configuration.
    1. Create an XML file with the following content in the configDropins/overrides directory. 
      <server>
  
  
  <httpSession
      cookieSecure="true"
      invalidationTimeout="60m"
      invalidateOnUnauthorizedSessionRequestException="true" />
</server>

      Specify a new invalidationTimeout value. For example, for one hour, use invalidationTimeout="60m".

    2. Save the file.
    3. Restart the pods to apply the new setting.
  2. For WebSphere Application Server deployments, update the session timeout setting.
    The session timeout is a global setting and applies to all applications.
    1. Log on to the WebSphere administrative console.
    2. Go to Servers > Server Type > WebSphere Application Servers > icn_app_server_name.
    3. Click Container Settings > Session management > Set timeout.
    4. Enter the timeout value in minutes.
    5. Click OK.
    6. Click Save.
    7. Restart WebSphere® Application Server.

Results

The session timeout is synchronized with the OAuth/OIDC token timeout, preventing premature session expiration and authentication errors.

What to do next

Verify that the IdP token timeout is configured to be equal to or greater than the session timeout you configured. Refer to your IdP documentation for instructions on configuring the token timeout for your client application.