OICD Noticeable Delays in Authentication in 8.3 compared to on 8.1

Ignition 8.3 Early Access
,
1

Running Ignition Maker Edition 8.3.0-beta2 - my Perspective sessions are set to use OICD for authentication against an Entra tenant. The login process at authenticating often hangs for a few seconds, compared to being practically instant on every login over the past few months when running on 8.1 (about .44 I think)

Not a problem per se, but a somewhat noticeable deviation on previous behaviour.

2

Hi @AaronJust -

Is your 8.3 environment identical to your 8.1 environment?

  • Same Entra Tenant / Endpoints for both?
  • Same Ignition hardware / software specs for both?

There are a lot of things going on as a part of an OIDC IdP authentication so we’d have to break it down and find the culprit. What would help narrow down timing issues is:

  1. Set gateway logger gateway.HttpOIDCClientService to level TRACE
  2. In a fresh browser session, open up your browser’s dev tools and turn on performance recording
  3. Navigate to Ignition and log in via your OIDC IdP
  4. Once you are redirected back to Ignition in a logged in state, stop the recording and stash it for analysis
  5. Stash a copy of your wrapper log file for analysis

Perform the above 2 steps for 8.1 and 8.3. This gives a pretty decent apples to apples comparison to help identify where the bottleneck might be. Specifically: in the browser performance recording analysis: find which requests or pages are taking longer to load in 8.3. In the Gateway logs: look for the debug message from logger gateway.HttpOIDCClientService with the following format: Received HTTP Response in %s where %s should be the time it took from firing the back channel request(s) to receiving the response(s) for exchanging the auth code for the token and getting the optional user info if configured.

2 Likes
3

I’ll do further diagnostics when I can in the next few days. The gateway was identical, I did a gateway backup on 8.1 and restored to 8.3. 8.1 was a raspberry pi 4 and was replaced with a raspberry pi 5. They are not in service in parallel as they share the same IP and can be swapped out as a sort of a cold standby.

4

I’m having trouble re-replicating it. So I got the behaviour to happen the first 3 or 4 times that I logged in with my browser, but wasn’t recording what I wanted, and of course when I was recording it, now it’s logging in quite fast.

That said, on closer inspection with HttpOICDClientService tracing on, I got “Received HTTP Response in 5 seconds” which was for a request for an authorization code and a response with a bearer token, but then more recently in the logs when the logins seemed fast, I got the same bearer token in 108ms.

So that looks very much like we are getting slow responses on occasion back from Microsoft, the strange thing being I do not recall this ever happening on 8.1 and it happens daily on 8.3.