[WebConsole] Fix refresh_token not provided without offline_access OIDC scope

Karakatiza666 · gz · commit 83863c9ca286 · 2025-10-31T00:05:02.000Z
Make env variables for auth configuration consistend with the rest

Signed-off-by: Karakatiza666 &lt;bulakh.96@gmail.com&gt;
diff --git a/.github/workflows/test-integration-platform.yml b/.github/workflows/test-integration-platform.yml
@@ -94,8 +94,8 @@ jobs:
             --mount type=bind,src=./test-tls,dst=/home/ubuntu/test-tls,readonly \
             -p 8080:8080 \
             -e AUTH_PROVIDER="${{ vars.OIDC_TEST_ISSUER && 'generic-oidc' || 'none' }}" \
-            -e AUTH_CLIENT_ID="${{ vars.OIDC_TEST_CLIENT_ID }}" \
-            -e AUTH_ISSUER="${{ vars.OIDC_TEST_ISSUER }}" \
+            -e FELDERA_AUTH_CLIENT_ID="${{ vars.OIDC_TEST_CLIENT_ID }}" \
+            -e FELDERA_AUTH_ISSUER="${{ vars.OIDC_TEST_ISSUER }}" \
             -e RUST_LOG=info \
             -e RUST_BACKTRACE=1 \
             ${{ vars.FELDERA_IMAGE_NAME }}:sha-${{ github.sha }} \
@@ -170,8 +170,8 @@ jobs:
         env:
           # Configure OIDC authentication if available, otherwise use no auth
           AUTH_PROVIDER: ${{ vars.OIDC_TEST_ISSUER && 'generic-oidc' || 'none' }}
-          AUTH_CLIENT_ID: ${{ vars.OIDC_TEST_CLIENT_ID }}
-          AUTH_ISSUER: ${{ vars.OIDC_TEST_ISSUER }}
+          FELDERA_AUTH_CLIENT_ID: ${{ vars.OIDC_TEST_CLIENT_ID }}
+          FELDERA_AUTH_ISSUER: ${{ vars.OIDC_TEST_ISSUER }}
           RUST_LOG: info
           RUST_BACKTRACE: 1
           # Needed by test_update_runtime.py
diff --git a/.gitignore b/.gitignore
@@ -82,3 +82,6 @@ playwright/.cache/
 *.pem
 *.crt
 *.key
+
+# pnpm
+.pnpm-store
diff --git a/CLAUDE.md b/CLAUDE.md
@@ -6697,8 +6697,8 @@ Additional features:
 #### **Configuration**
 ```bash
 # Environment variables for OIDC providers
-AUTH_ISSUER=https://your-domain.okta.com/oauth2/<custom-auth-server-id>
-AUTH_CLIENT_ID=your-client-id
+FELDERA_AUTH_ISSUER=https://your-domain.okta.com/oauth2/<custom-auth-server-id>
+FELDERA_AUTH_CLIENT_ID=your-client-id
 
 # For AWS Cognito (additional variables)
 AWS_COGNITO_LOGIN_URL=https://your-domain.auth.region.amazoncognito.com/login
diff --git a/crates/pipeline-manager/src/auth.rs b/crates/pipeline-manager/src/auth.rs
@@ -22,7 +22,7 @@
 //! a restart of the pipeline manager will refresh the cache.
 //!
 //! To support bearer token workflows, we require environment variables specific
-//! to each provider. All providers require AUTH_CLIENT_ID and AUTH_ISSUER.
+//! to each provider. All providers require FELDERA_AUTH_CLIENT_ID and FELDERA_AUTH_ISSUER.
 //! Some providers may require additional configuration (see provider-specific
 //! functions below).
 //!
@@ -399,9 +399,10 @@ pub(crate) enum AuthProvider {
 
 pub(crate) fn aws_auth_config() -> AuthConfiguration {
     let mut validation = Validation::new(Algorithm::RS256);
-    let client_id =
-        env::var("AUTH_CLIENT_ID").expect("Missing environment variable AUTH_CLIENT_ID");
-    let iss = env::var("AUTH_ISSUER").expect("Missing environment variable AUTH_ISSUER");
+    let client_id = env::var("FELDERA_AUTH_CLIENT_ID")
+        .expect("Missing environment variable FELDERA_AUTH_CLIENT_ID");
+    let iss =
+        env::var("FELDERA_AUTH_ISSUER").expect("Missing environment variable FELDERA_AUTH_ISSUER");
     let jwk_uri = format!("{}/.well-known/jwks.json", iss);
     // We do not validate with set_audience because it is optional,
     // and AWS Cognito doesn't consistently claim it in JWT (e.g. via Hosted UI
@@ -426,8 +427,8 @@ pub(crate) async fn generic_oidc_auth_config(
 ) -> Result<AuthConfiguration, Box<dyn std::error::Error>> {
     let mut validation = Validation::new(Algorithm::RS256);
     let client_id =
-        env::var("AUTH_CLIENT_ID").expect("Missing environment variable AUTH_CLIENT_ID");
-    let iss = env::var("AUTH_ISSUER").expect("Missing environment variable AUTH_ISSUER");
+        env::var("FELDERA_AUTH_CLIENT_ID").expect("Missing environment variable FELDERA_AUTH_CLIENT_ID");
+    let iss = env::var("FELDERA_AUTH_ISSUER").expect("Missing environment variable FELDERA_AUTH_ISSUER");
 
     // Use OIDC discovery to fetch jwks_uri
     let jwk_uri = fetch_jwks_uri_from_discovery(&iss).await?;
diff --git a/crates/pipeline-manager/src/config.rs b/crates/pipeline-manager/src/config.rs
@@ -585,8 +585,8 @@ pub struct ApiServerConfig {
     ///
     /// Usage depends on two environment variables to be set
     ///
-    /// AUTH_CLIENT_ID, the client-id or application
-    /// AUTH_ISSUER, the issuing service
+    /// FELDERA_AUTH_CLIENT_ID, the client-id or application
+    /// FELDERA_AUTH_ISSUER, the issuing service
     ///
     /// ** AWS Cognito provider **
     /// If the auth_provider is aws-cognito, there are two more
@@ -607,9 +607,9 @@ pub struct ApiServerConfig {
     /// support PKCE soon.
     ///
     /// ** Okta provider **
-    /// If the auth_provider is okta, the AUTH_ISSUER should be your Okta domain
+    /// If the auth_provider is okta, the FELDERA_AUTH_ISSUER should be your Okta domain
     /// including the authorization server ID (e.g., "<https://your-domain.okta.com/oauth2/default>").
-    /// The AUTH_CLIENT_ID should be the client ID from your Okta application configuration.
+    /// The FELDERA_AUTH_CLIENT_ID should be the client ID from your Okta application configuration.
     ///
     /// ** Tenant Assignment **
     /// Tenant assignment follows this priority order:
diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
@@ -13,8 +13,8 @@ services:
     environment:
       - RUST_LOG=info,actix_web=error,tokio_postgres=info
       - RUST_BACKTRACE=1
-      - AUTH_CLIENT_ID
-      - AUTH_ISSUER
+      - FELDERA_AUTH_CLIENT_ID
+      - FELDERA_AUTH_ISSUER
     healthcheck:
       # TODO: add `/status` endpoint.
       test:
diff --git a/docs.feldera.com/docs/contributors/dev-flow.md b/docs.feldera.com/docs/contributors/dev-flow.md
@@ -44,7 +44,7 @@ In Authenticated mode, you need to login via the Web Console using one of the su
 
 Start the Pipeline Manager in authenticated mode, substituting values from your environment:
 ```bash
-AUTH_CLIENT_ID=<client-id> AUTH_ISSUER=<issuer> <see below for additional environment variables> \
+FELDERA_AUTH_CLIENT_ID=<client-id> FELDERA_AUTH_ISSUER=<issuer> <see below for additional environment variables> \
  cargo run --bin pipeline-manager -- --auth-provider=aws-cognito
 ```
 
@@ -69,15 +69,15 @@ Additional variables for AWS Cognito:
 
 Example:
 ```bash
-AUTH_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxx AUTH_ISSUER=https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx AWS_COGNITO_LOGIN_URL="https://itest-pool.auth.us-east-1.amazoncognito.com/login\?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxx&response_type=token&scope=email+openid" AWS_COGNITO_LOGOUT_URL="https://itest-pool.auth.us-east-1.amazoncognito.com/logout\?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxx&response_type=token&scope=email+openid" RUST_LOG=debug,tokio_postgres=info cargo run --bin=pipeline-manager -- --dev-mode --auth-provider aws-cognito
+FELDERA_AUTH_CLIENT_ID=xxxxxxxxxxxxxxxxxxxxxxxxxx FELDERA_AUTH_ISSUER=https://cognito-idp.us-east-1.amazonaws.com/us-east-1_xxxxxxxxx AWS_COGNITO_LOGIN_URL="https://itest-pool.auth.us-east-1.amazoncognito.com/login\?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxx&response_type=token&scope=email+openid" AWS_COGNITO_LOGOUT_URL="https://itest-pool.auth.us-east-1.amazoncognito.com/logout\?client_id=xxxxxxxxxxxxxxxxxxxxxxxxxx&response_type=token&scope=email+openid" RUST_LOG=debug,tokio_postgres=info cargo run --bin=pipeline-manager -- --dev-mode --auth-provider aws-cognito
 ```
 
 ##### Google Identity Platform
 Additional variables for Google Identity Platform: none
 
 Example:
 ```bash
-AUTH_CLIENT_ID=xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com AUTH_ISSUER="https://accounts.google.com" RUST_LOG=debug,tokio_postgres=info cargo run --bin=pipeline-manager -- --dev-mode --auth-provider google-identity
+FELDERA_AUTH_CLIENT_ID=xxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.apps.googleusercontent.com FELDERA_AUTH_ISSUER="https://accounts.google.com" RUST_LOG=debug,tokio_postgres=info cargo run --bin=pipeline-manager -- --dev-mode --auth-provider google-identity
 ```
 
 ## Run benchmarks
diff --git a/docs.feldera.com/docs/get-started/enterprise/authentication/okta-sso.md b/docs.feldera.com/docs/get-started/enterprise/authentication/okta-sso.md
@@ -157,15 +157,15 @@ Configure the following environment variables for your Feldera deployment:
 
 ```bash
 # Okta OIDC configuration
-AUTH_ISSUER=https://<your-okta-domain>/oauth2/<custom-auth-server-id>
-AUTH_CLIENT_ID=<your-client-id>
+FELDERA_AUTH_ISSUER=https://<your-okta-domain>/oauth2/<custom-auth-server-id>
+FELDERA_AUTH_CLIENT_ID=<your-client-id>
 ```
 
 ### Optional Variables
 
 ```bash
 # Custom authorization server (if not using default)
-AUTH_ISSUER=https://<your-okta-domain>/oauth2/<custom-auth-server-id>
+FELDERA_AUTH_ISSUER=https://<your-okta-domain>/oauth2/<custom-auth-server-id>
 ```
 
 ## Helm Chart Configuration
@@ -214,7 +214,7 @@ Configure Feldera to accept tokens from multiple Okta organizations:
 
 ```bash
 # Example supporting multiple customers
-AUTH_ISSUER=https://customer1.okta.com/oauth2/default,https://customer2.okta.com/oauth2/default
+FELDERA_AUTH_ISSUER=https://customer1.okta.com/oauth2/default,https://customer2.okta.com/oauth2/default
 ```
 
 ### 3. Automatic Tenant Assignment
@@ -236,10 +236,10 @@ With `--issuer-tenant=true`, each customer automatically gets their own tenant:
 
 #### "Invalid audience" Error
 - **Cause**: Client ID mismatch between Okta app and Feldera config
-- **Solution**: Verify `AUTH_CLIENT_ID` matches Okta application client ID
+- **Solution**: Verify `FELDERA_AUTH_CLIENT_ID` matches Okta application client ID
 
 #### "Invalid issuer" Error
 - **Cause**: Issuer URL mismatch
-- **Solution**: Verify `AUTH_ISSUER` matches Okta authorization server URL
+- **Solution**: Verify `FELDERA_AUTH_ISSUER` matches Okta authorization server URL
 
 For additional help, consult the [Okta Developer Documentation](https://developer.okta.com/docs/) or contact your Feldera support team.
diff --git a/web-console/bun.lock b/web-console/bun.lock
diff --git a/web-console/package.json b/web-console/package.json
@@ -26,7 +26,7 @@
   },
   "devDependencies": {
     "@auth/sveltekit": "^1.7.4",
-    "@axa-fr/oidc-client": "^7.25.3",
+    "@axa-fr/oidc-client": "^7.26.0",
     "@bithero/monaco-editor-vite-plugin": "^1.0.2",
     "@fontsource-variable/dm-sans": "^5.1.1",
     "@fontsource/dm-mono": "^5.1.1",
diff --git a/web-console/src/lib/compositions/auth.ts b/web-console/src/lib/compositions/auth.ts
@@ -271,7 +271,7 @@ export const loadAuthConfig = async () => {
         const storage = sessionStorage
 
         // Build scope string: always include openid, profile, email, and any extra scopes
-        const baseScopes = 'openid profile email'
+        const baseScopes = 'openid profile email offline_access'
         const extraScopes = config.extra_oidc_scopes.join(' ')
         const scope = extraScopes ? `${baseScopes} ${extraScopes}` : baseScopes
 
diff --git a/web-console/src/lib/services/auth.ts b/web-console/src/lib/services/auth.ts
@@ -21,6 +21,8 @@ export const authResponseMiddleware = async (response: Response, request: Reques
     if (validToken?.isTokensValid) {
       return fetch(request)
     }
+
+    console.error('Unable to extend user session. refresh_token was probably not issued.')
   }
   return response
 }
diff --git a/web-console/src/routes/+layout.svelte b/web-console/src/routes/+layout.svelte
@@ -40,7 +40,7 @@
 />
 
 <Toaster position={'bottom-right'} toastOptions={{}}></Toaster>
-{@render children()}
+{@render children?.()}
 
 <style lang="scss" global>
   .toast-error {

-Original file line number
+Diff line change
 *.pem
 *.crt
 *.key
++
 +# pnpm
 +.pnpm-store