Open ID login lost when opening a new tab

SebastienPetit · ‎08-30-2023

We were using OpenID + Keycloak for signing in and out, it was working perfectly in 10.9.1. However, after upgrading the portal to 11.1, we are having an issue as follows:

Open portal, Sign-in to portal (>> signed in successfully)
Open portal again in new browser tab same session (here is the issue)
- Expected: user should be logged in automatically because he/she logged in already in the same session.
- Actually: portal loads the landing page with Sign in button as if user is not logged in. However, when user click on Sign in and select the option to login via Keycloak, page is redirected directly to portal and user is signed in without entering username/password.

We have tried to trace what's going on from the browser developer tools, I believe that there is no authentication token stored in the cookies after the initial login because the problem happens when user open new tab and load portal page, and it found no auth cookie = not signed-in. However, when user click on sign in and start communication with Keycloak, Keycloak redirects it directly to portal with no action needed from the user cause the initial auth token is stored on keycloak server side already.

A_Wyn_Jones · ‎08-30-2023

Hi @SebastienPetit,

Could you please ensure the web adaptor patch for IIS is in place (if this is the web adaptor you're using)?

https://support.esri.com/en-us/patches-updates/2023/arcgis-web-adaptor-iis-11-1-reliability-update-2...

Your issue sounds like it may be this bug:

BUG-000160009 - ArcGIS Web Adaptor (IIS) 11.1 fails to transmit multiple set-cookie response headers resulting in some cookies not getting created and affecting apps such as ArcGIS StoryMaps.

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."

SebastienPetit · ‎08-30-2023

Just applied the patch.

Did not solve our issue ☹️

A_Wyn_Jones · ‎08-30-2023

😞
I believe the cookie you're looking to preserve between tabs is "esri_aopc" - I would suggest ensuring your Enterprise is fully updated, with all available patches, and then testing on a Browser that doesn't have any policy applied to it.

If you can still replicate the issue in this state, please raise this with technical support - it sounds like it will require a thorough investigation.

Hope you get to the bottom of it!

"We've boosted the Anti-Mass Spectrometer to 105 percent. Bit of a gamble, but we need the extra resolution."

LorenzMeyer1 · ‎11-27-2023

On ArcGIS 10.9.1 this cooke "esri_aopc" was availabe but on a fresh ArcGIS 11.1 installation this cookie "esri_aopc" is no longer listed in the browser.

SebastienPetit · ‎08-30-2023

Thank you.

Indeed it seems to be the same.

Let me check that

LorenzMeyer1 · ‎11-24-2023

We faced exaclty the same problem here. Using 11.1 with OIDC loses the session in another browser tab. The newest patchtes are installed, including the WebAdaptor Reliability Patch 2 B.

LorenzMeyer1 · ‎11-27-2023

The issue occurs, if you have beside the OIDC login screen the login screen for portal builtin users enabled. The software cannot properly handle that. The workaround is to disable the login screen for the portal builtin users. Then, opening a new browser tab does not require a new login