Skip to content

Fix OIDC re-authentication failing after ~24 hours #1470

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Fix OIDC re-authentication failing after ~24 hours #1470

Copilot wants to merge 3 commits into from

Conversation

Copy link

Copilot AI commented Nov 25, 2025
edited
Loading

Fixes #1469.

Description

OIDC users were unable to re-authenticate after ~24 hours. The only workaround was restarting Parseable.

Root cause: Inverted logic in remove_expired_session() was keeping expired sessions and removing valid ones.

// Bug: kept sessions where expiry < now (expired), removed valid ones
sessions.retain(|(_, expiry)| expiry < &now);

// Fix: keep sessions where expiry > now (valid)
sessions.retain(|(_, expiry)| expiry > &now);

Changes:

  • Fixed comparison operator in src/rbac/map.rs:212
  • Added debug logging for session expiration events
  • Added unit tests for session expiration logic

This PR has:

  • been tested to ensure log ingestion and log query works.
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added documentation for new or modified features or behaviors.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • parseable-prism-build.s3.us-east-2.amazonaws.com
    • Triggering command: /home/REDACTED/work/parseable/parseable/target/debug/build/parseable-e7150ceacea65be3/build-script-build /home/REDACTED/work/parseable/parseable/target/debug/build/parseable-e7150ceacea65be3/build-script-build lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libobject-00745b6f63a5acb7.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libmemchr-ff20d9e744b5ce29.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libaddr2line-05ff42d0bb8bc056.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libgimli-9e30a03d9a87a46b.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libcfg_if-ca532f729409e986.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/librustc_demangle-d3519961f658f03a.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libstd_detect-866c9680e50cd51f.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libhashbrown-e3c0c009096f309d.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/librustc_std_workspace_alloc-2fb855ef27dbee02.rlib (dns block)
    • Triggering command: /home/REDACTED/work/parseable/parseable/target/debug/build/parseable-cfb611a16fdc6fb3/build-script-build /home/REDACTED/work/parseable/parseable/target/debug/build/parseable-cfb611a16fdc6fb3/build-script-build (dns block)
    • Triggering command: /home/REDACTED/work/parseable/.codeql-scratch/dbs/rust/working/target/debug/build/parseable-5219d1c764b0c7a3/build-script-build /home/REDACTED/work/parseable/.codeql-scratch/dbs/rust/working/target/debug/build/parseable-5219d1c764b0c7a3/build-script-build get/debug/deps/libchange_detection-f4fef92857f2f5e3.rlib get/debug/deps/libpath_slash-8cb979fc12d43daf.rlib get/debug/deps/libpath_matchers-39bf8d94493f4411.rlib get/debug/deps/libglob-6dbd901f06f5c038.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libstd-a71a575950182156.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libpanic_unwind-150250ca1242312f.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libobject-00745b6f63a5acb7.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libmemchr-ff20d9e744b5ce29.rlib lib/rustlib/x86_64-REDACTED-linux-gnu/lib/libaddr2line-05ff42d0bb8bc056.rlib zstd/lib/legacy --gdwarf-4 --64 -o /home/REDACTED/work/parseable/parseable/target/debug/build/zstd-syas /tmp/ccGOEnYJ.s (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

This section details on the original issue you should resolve

<issue_title>Re-authentication with oidc do not work after approx 24 hours</issue_title>
<issue_description>This issue is related to oidc authentication. The behaviour we have seen are:

  • Login in using oidc works and groups are mapped to parseable roles.
  • Logout and login works.
  • Logout and login after approx 24 hour result in 401.
  • The only way to get login for using oidc is to restart parseable

Our setup is parsable use dex.io as a oidc mediator.
So I can not be sure that the issue is in Parseable, but since a restart "clear" some transient data structure related to the user it seems to be the cause.
One problem is that there is nothing in the parseable logs that help you identify the problem. Even increase the log level to info it just state 401 when authenticating the user.

/about output:

{
    "version": "v2.5.1",
    "uiVersion": "v2.5.1",
    "commit": "8cfced3",
    "deploymentId": "01JRMQX30F6MGGHCEKJ5DASCRS",
    "updateAvailable": false,
    "latestVersion": "v2.5.1",
    "llmActive": false,
    "llmProvider": null,
    "oidcActive": true,
    "license": "AGPL-3.0-only",
    "mode": "Standalone",
    "staging": "/var/tmp/parseable_staging",
    "hotTier": "Disabled",
    "grpcPort": 8001,
    "store": {
        "type": "S3 bucket",
        "path": "https://sg1.vgregion.se/parseable"
    },
    "analytics": {
        "clarityTag": null
    }
}

</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Nov 25, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI and others added 2 commits November 25, 2025 20:44
@nitisht
Fix OIDC session expiration bug: keep valid sessions, remove expired …
51b53f5 
…ones

Co-authored-by: nitisht <5156139+nitisht@users.noreply.github.com>
@nitisht
Improve test documentation clarity
b46da3a 
Co-authored-by: nitisht <5156139+nitisht@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix re-authentication issue with OIDC after 24 hours Fix OIDC re-authentication failing after ~24 hours Nov 25, 2025
Copilot AI requested a review from nitisht November 25, 2025 20:50
Copilot finished work on behalf of nitisht November 25, 2025 20:50
@github-actions
Copy link
Contributor

github-actions bot commented Nov 25, 2025

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nitisht nitisht Awaiting requested review from nitisht

@nikhilsinhaparseable nikhilsinhaparseable Awaiting requested review from nikhilsinhaparseable

At least 1 approving review is required to merge this pull request.

Assignees

@nitisht nitisht

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Re-authentication with oidc do not work after approx 24 hours

2 participants

@nitisht