When using oAuth and vIDM to log into NSX, the sessions appear to timeout randomly, between 15-20 minutes.
You will see entries in the log entries in /var/log/proxy/reverse-proxy.log on the nsx managers similar to this:
2022-03-23T10:47:23.001Z INFO Processing request ########-####-####-############ OAuth2AuthenticationProvider #### - [nsx@#### comp="nsx-manager" level="INFO" subcomp="http"] Failed to use SAMAccountName, attempting UserPrincipleName: Invalid credentials
NSX with vIDM using oAuth credentials and the Advanced Load Balancer.
This is due to a bug, where the re-authentication option after the initial token expires was removed.
Open an SR with Broadcom, mentioning this KB.
Attach to the case:
The vIDM user is given an Access Token. This token has a Time To Live of 15 minutes. When that time expires the user needs a new Access Token. This is only possible when refresh_token has specified (note its removal). When refresh_token is specified then the user can continue to refresh its token until Refresh Token TTL expires. This is set to 30 days (30*24*60 minutes).
So the problem is that refresh token was removed. Thus after 15 minutes the user's token cannot be refreshed and re-authentication is required.
The reason for this is that the vIDM server must keep a record of this refresh token in its database. This would not be overloaded by user login requests, but there are some NSX clients making as many as 100 authentication requests per minute nearly non-stop.