Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Please sign in again? - Way to keep non-idle? #1357

Open
jmergy opened this issue Aug 8, 2024 · 21 comments
Open

Please sign in again? - Way to keep non-idle? #1357

jmergy opened this issue Aug 8, 2024 · 21 comments
Labels
authentication Related to authentication enhancement New feature or request known issue/workaround Workaround available in the know_issues.md file

Comments

@jmergy
Copy link

jmergy commented Aug 8, 2024

Assuming this is due to org policy around timeout. Can we do something that would keep the connection active enough to not trigger this? Native Teams or Outlook or other apps seem to be able to hold on to this. Maybe through certs or something? Pretty annoying. I understand there is only so much one can do here but asking.

@IsmaelMartinez
Copy link
Owner

Hi @jmergy , we had a similar issue in here #1045 but people reported it was better.

Maybe see if you can use the intune option.

@IsmaelMartinez
Copy link
Owner

did you manage to try and/or use one of the other options available to login? How did you get along with it? Thanks

@jmergy
Copy link
Author

jmergy commented Aug 16, 2024

Still playing with it. We can close this for now and I will come back if I have some progress.

@IsmaelMartinez IsmaelMartinez added enhancement New feature or request authentication Related to authentication labels Aug 23, 2024
@masc-ppi
Copy link

I have the same problem, need to re-login every few hours. Our company uses Intune, and I tried the new settings for that. It does not make a difference. In the log, I get the following warning:

[2024-08-29 09:52:58.299] [debug] configFile: {
  ssoInTuneEnabled: true,
  ssoInTuneAuthUser: '[email protected]'
}
[2024-08-29 09:52:58.786] [debug] Initializing InTune SSO
[2024-08-29 09:52:58.973] [debug] processArgs: [ '/opt/teams-for-linux/teams-for-linux' ]
[2024-08-29 09:52:58.974] [debug] testing RegExp processArgs false
[2024-08-29 09:52:58.975] [debug] Testing network using net.request() for https://teams.microsoft.com/v2
[2024-08-29 09:52:58.979] [debug] Spellchecker is disabled!
[2024-08-29 09:52:59.315] [warn]  Failed to find microsoft-identity-broker DBus interface

Do I need to start any other service/component to provide the missing microsoft-identity-broker DBus interface?

@IsmaelMartinez
Copy link
Owner

maybe check in here ? #1280 . There it explain how they did it and it might give you clues on how to get it to work.

@masc-ppi
Copy link

Thanks for pointing that out. I've checked #1280 and I'm now under the impression that I need to run the MS Intune app (https://learn.microsoft.com/de-de/mem/intune/user-help/microsoft-intune-app-linux). That one seems to provide the relevant DBus interface. Unfortunately, it is not yet available for Ubuntu 24.04.

@IsmaelMartinez
Copy link
Owner

IsmaelMartinez commented Oct 2, 2024

I am going to close this as there is little more we can do to avoid this please sign in again other than the certificate and intune options already mentioned. Hopefully they release the intune app for ubuntu 24.04 soon.

(trying to keep the backlog manageable). Do shout if you think this should be open and I can re-open for a few more months and repeat this process

@IsmaelMartinez IsmaelMartinez added the known issue/workaround Workaround available in the know_issues.md file label Oct 2, 2024
@bpozdena
Copy link

bpozdena commented Oct 4, 2024

@IsmaelMartinez My problem is that I need to re-login via 3rd party SAML IdP with token every 24 hours, so there is no way to work around it.

Questions:

  1. Would it be possible to show a pop up message when the authentication expires? My problem is that I never know that I have been logged out when Teams is minimized.
  2. Would it be possible to automatically log out and ask for credentials when Teams start in the morning? That way I'm not silently deauthenticated at random times during the day? Alternatively, what do I need to delete every morning to get de-authenticated in Teams?
  3. Is there any way to share the cookies from browser, where I'm already logged on via SAML and to Office365, etc?
  4. Theoretically, if I create external script to authenticate me and extract the cookies, where and how I should inject them into Teams?

@martinsznapka
Copy link

I am experiencing same problem like bpozdena.

I turn on Teams4Linux in the morning and sometimes login dialog appears, sometimes not (probably depending on some token expiration).

If the login popup is not shown, then randomly after few hours I get suddenly toolbar with "Sign in" button, sometimes it drop me from meeting. It is very annoying. Then I need to login via 2F authentication with company credentials.

I would be happy if T4L force login on every startup so I do not experience this ugly behavior. I was searching for some parameters to do that, but no success.

@bpozdena
Copy link

After many missed messages during my working hours, I at least for now configured Teams to autostart maximized and with cleared storage using the --minimized false --clearStorage arguments. This way I don't forget to re-login every morning.

Example:

cat ~/.config/autostart/teams-for-linux.desktop

[Desktop Entry]
Categories=Chat;Network;Office;
Comment[en_US]=Unofficial Microsoft Teams client for Linux using Electron. It uses the Web App and wraps it as a standalone application using Electron.
Comment=Unofficial Microsoft Teams client for Linux using Electron. It uses the Web App and wraps it as a standalone application using Electron.
Exec=/opt/teams-for-linux/teams-for-linux --minimized false --clearStorage %U
GenericName[en_US]=
GenericName=
Icon=teams-for-linux
MimeType=
Name[en_US]=Teams for Linux
Name=Teams for Linux
Path=
StartupNotify=true
StartupWMClass=teams-for-linux
Terminal=false
TerminalOptions=
Type=Application
X-KDE-SubstituteUID=false
X-KDE-Username=

@bpozdena
Copy link

bpozdena commented Oct 11, 2024

@IsmaelMartinez , would it be possible to implement permanent OAuth2 authentication for custom "MyApp" similar to how onedrive client for linux does it

With this approach my onedrive client remains logged in for weeks without any issues (until I am forced to change password).

@IsmaelMartinez
Copy link
Owner

not that easy as we use electron to wrap around this. I had a look to see if I could do something in the website part, but I can't seem to find a place where this would work.

@martinsznapka , what happens if you close the app and clean the cache ? We might be able to force a cache cleanup (hopefully only of the authentication tokens part) but I am not sure where that authentication tokens sit. The browser section (I assume) but dunno where and if they are accessible

@martinsznapka
Copy link

I tried to Quit with Clear storage and opening T4L forced me to login. So clearing only authentication part would be great feature!

Clearing full storage isn't really nice for me, since some settings are gone (background image during meeting, predefined user login, etc.).

@IsmaelMartinez
Copy link
Owner

well, that gives me an area to explore ;)

@IsmaelMartinez
Copy link
Owner

Hi all,

I have added a debug log of the auth cookie changes in:
https://github.com/IsmaelMartinez/teams-for-linux/releases/tag/v1.11.2

It logs the cookie name, expiration date (in timestamp format) and domain.

Can you run the app with debug mode and see if we get more info from it? The cookie value is not printed at the moment, but can change that later if preferred.

Trying to find a pattern in here as MS does support many ways of authentication so this cookie might not be what we are looking for.

@martinsznapka
Copy link

$ ./teams-for-linux --logConfig={"transports":{"console":{"level":"debug"},"file":{"level":false}}}
No config file found, using default values
all good with appLogLevels you aren't using them
all good with onlineCheckMethod you aren't using them
Initialising logger with config: ["{transports:console:{level:debug}}","{transports:file:{level:false}}"]
12:59:58.813 › File logging at /home/msznapka/.config/teams-for-linux/logs/main.log with level silly
12:59:58.814 › Console logging enabled with level silly
12:59:58.814 › Logger initialised
12:59:58.814 › configPath: /home/msznapka/.config/teams-for-linux
12:59:58.815 › configFile: {}
12:59:58.952 › processArgs: [
  '/home/msznapka/programs/teams/teams-for-linux',
  '--logConfig={transports:console:{level:debug}}',
  '--logConfig={transports:file:{level:false}}'
]
12:59:58.952 › testing RegExp processArgs false
12:59:58.953 › testing RegExp processArgs false
12:59:58.953 › testing RegExp processArgs false
12:59:58.953 › Waiting for network...
12:59:58.953 › Testing network using net.request() for https://teams.microsoft.com
12:59:58.955 › Spellchecker is disabled!
[210533:1016/125959.153733:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018
12:59:59.230 › Network test successful with method https
12:59:59.658 › GetSystemIdleState => IdleTimeout: 300s, IdleTimeoutPollInterval: 10s, ActiveCheckPollInterval: 2s, IdleTime: 1s, IdleState: 'active'
[210533:1016/125959.660121:ERROR:object_proxy.cc(576)] Failed to call method: org.freedesktop.ScreenSaver.GetActive: object_path= /org/freedesktop/ScreenSaver: org.freedesktop.DBus.Error.NotSupported: This method is not implemented
13:00:00.105 › did-frame-finish-load {} true
13:00:00.106 › did-finish-load
13:00:00.843 › cookie changed cause: overwrite 
 removed?: true 

13:00:00.843 › cookie: authtoken 
 expirationDate: 1729135342.74778 
 domain: teams.microsoft.com
13:00:00.843 › cookie changed cause: explicit 
 removed?: false 

13:00:00.844 › cookie: authtoken 
 expirationDate: 1729135341.842887 
 domain: teams.microsoft.com
13:00:01.058 › Badge count set to '0'
13:00:01.065 › Badge count set to '0'
13:00:01.714 › Badge count set to '0'
13:00:03.390 › did-frame-finish-load {} false
13:00:09.719 › GetSystemIdleState => IdleTimeout: 300s, IdleTimeoutPollInterval: 10s, ActiveCheckPollInterval: 2s, IdleTime: 1s, IdleState: 'active'

@IsmaelMartinez
Copy link
Owner

would you be able to leave the app running and see what logs we get on those cookies tomorrow? I think we might be able to detect the authentication token didn't refresh if we get a :

13:00:00.843 › cookie changed cause: overwrite 
 removed?: true 

13:00:00.843 › cookie: authtoken 
 expirationDate: 1729135342.74778 
 domain: teams.microsoft.com

That is not closely followed by a:

13:00:00.843 › cookie changed cause: explicit 
 removed?: false 

13:00:00.844 › cookie: authtoken 
 expirationDate: 1729135341.842887 
 domain: teams.microsoft.com

Then we can decide how to deal with it if that is a symptom

@martinsznapka
Copy link

$ ./teams-for-linux --logConfig={"transports":{"console":{"level":"debug"},"file":{"level":false}}}
No config file found, using default values
all good with appLogLevels you aren't using them
all good with onlineCheckMethod you aren't using them
Initialising logger with config: ["{transports:console:{level:debug}}","{transports:file:{level:false}}"]
08:54:39.215 › File logging at /home/msznapka/.config/teams-for-linux/logs/main.log with level silly
08:54:39.216 › Console logging enabled with level silly
08:54:39.216 › Logger initialised
08:54:39.217 › configPath: /home/msznapka/.config/teams-for-linux
08:54:39.217 › configFile: {}
08:54:39.351 › processArgs: [
  '/home/msznapka/programs/teams/teams-for-linux',
  '--logConfig={transports:console:{level:debug}}',
  '--logConfig={transports:file:{level:false}}'
]
08:54:39.352 › testing RegExp processArgs false
08:54:39.352 › testing RegExp processArgs false
08:54:39.352 › testing RegExp processArgs false
08:54:39.352 › Waiting for network...
08:54:39.352 › Testing network using net.request() for https://teams.microsoft.com
08:54:39.354 › Spellchecker is disabled!
[8443:1017/085439.535822:ERROR:nss_util.cc(345)] After loading Root Certs, loaded==false: NSS error code: -8018
08:54:39.595 › Network test successful with method https
08:54:39.965 › GetSystemIdleState => IdleTimeout: 300s, IdleTimeoutPollInterval: 10s, ActiveCheckPollInterval: 2s, IdleTime: 0s, IdleState: 'active'
[8443:1017/085439.966405:ERROR:object_proxy.cc(576)] Failed to call method: org.freedesktop.ScreenSaver.GetActive: object_path= /org/freedesktop/ScreenSaver: org.freedesktop.DBus.Error.NotSupported: This method is not implemented
08:54:42.397 › did-frame-finish-load {} true
08:54:42.397 › did-finish-load
08:54:43.421 › did-frame-finish-load {} false
08:54:43.665 › Badge count set to '0'
08:54:43.674 › Badge count set to '0'
08:54:44.385 › Badge count set to '0'
08:54:44.600 › assignOnDidFailLoadEventHandler : {} - -3 - 
08:54:44.962 › did-frame-finish-load {} false
08:54:45.402 › assignOnDidFailLoadEventHandler : {} - -3 - 
08:54:45.803 › did-frame-finish-load {} false
08:54:46.019 › did-frame-finish-load {} false
08:54:46.256 › assignOnDidFailLoadEventHandler : {} - -3 - 
08:54:46.596 › did-frame-finish-load {} false
08:54:46.887 › assignOnDidFailLoadEventHandler : {} - -3 - 
08:54:48.972 › did-frame-finish-load {} false
08:54:49.219 › assignOnDidFailLoadEventHandler : {} - -3 - 
08:54:49.502 › GetSystemIdleState => IdleTimeout: 300s, IdleTimeoutPollInterval: 10s, ActiveCheckPollInterval: 2s, IdleTime: 0s, IdleState: 'active'
08:54:49.551 › did-frame-finish-load {} true
08:54:49.551 › did-finish-load
08:54:54.392 › GetSystemIdleState => IdleTimeout: 300s, IdleTimeoutPollInterval: 10s, ActiveCheckPollInterval: 2s, IdleTime: 0s, IdleState: 'active'
08:54:54.421 › did-frame-finish-load {} true
08:54:54.422 › did-finish-load
08:55:04.394 › GetSystemIdleState => IdleTimeout: 300s, IdleTimeoutPollInterval: 10s, ActiveCheckPollInterval: 2s, IdleTime: 10s, IdleState: 'active'
08:55:04.521 › GetSystemIdleState => IdleTimeout: 300s, IdleTimeoutPollInterval: 10s, ActiveCheckPollInterval: 2s, IdleTime: 10s, IdleState: 'active'
08:55:04.879 › did-frame-finish-load {} true
08:55:04.879 › did-finish-load
08:55:05.423 › did-frame-finish-load {} false
08:55:05.782 › Badge count set to '0'
08:55:05.793 › Badge count set to '0'
08:55:06.023 › assignOnDidFailLoadEventHandler : {} - -3 - 
08:55:06.474 › cookie changed cause: explicit 
 removed?: false 

08:55:06.474 › cookie: authtoken 
 expirationDate: 1729229047.474162 
 domain: teams.microsoft.com
08:55:06.474 › cookie changed cause: explicit 
 removed?: false 

08:55:06.474 › cookie: authtoken 
 expirationDate: 1729229047.474162 
 domain: teams.microsoft.com
08:55:06.475 › cookie changed cause: explicit 
 removed?: false 

08:55:06.475 › cookie: authtoken 
 expirationDate: 1729229047.474162 
 domain: teams.microsoft.com
08:55:06.475 › cookie changed cause: explicit 
 removed?: false 

08:55:06.475 › cookie: authtoken 
 expirationDate: 1729229047.474162 
 domain: teams.microsoft.com
08:55:06.535 › Badge count set to '0'
08:55:07.968 › Badge count set to '1'
08:55:08.207 › did-frame-finish-load {} false
08:55:08.382 › Badge count set to '3'
08:55:14.581 › GetSystemIdleState => IdleTimeout: 300s, IdleTimeoutPollInterval: 10s, ActiveCheckPollInterval: 2s, IdleTime: 0s, IdleState: 'active'
08:55:24.584 › GetSystemIdleState => IdleTimeout: 300s, IdleTimeoutPollInterval: 10s, ActiveCheckPollInterval: 2s, IdleTime: 2s, IdleState: 'active'
08:55:29.375 › window close
08:55:29.509 › window closed
08:55:29.509 › before-quit
08:55:29.509 › will-quit
08:55:29.509 › quit

@IsmaelMartinez
Copy link
Owner

I wonder if this is on the back of locking your screen for an extended period. Aka, the re-authentication flow stops happening and when you unlock your screen the token has expired.

A few things to try and send logs. Start the app...

  • And then close the laptop for a few hours. Reopen and share the logs
  • With other option for the lock screen inhibitor (screenLockInhibitionMethod). It defaults to Electron so try WakeLockSentinel that is the other option available. Similarly, share the logs.

Thanks!

@ciros88
Copy link

ciros88 commented Dec 6, 2024

same issue here, keeps asking for signin every day

@IsmaelMartinez
Copy link
Owner

@ciros88 , can you provide the logs with the tests I indicated before? Still trying to figure out if we can detect this and force an refresh of the token. Otherwise you should focus on getting intune configured.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
authentication Related to authentication enhancement New feature or request known issue/workaround Workaround available in the know_issues.md file
Projects
None yet
Development

No branches or pull requests

6 participants