dokuwiki-plugin-oauth icon indicating copy to clipboard operation
dokuwiki-plugin-oauth copied to clipboard
verified publisher icon cosmocode

Logout because of expired access token

Open xi opened this issue 11 months ago • 3 comments

Issue Description

May be related to #100.

After some time after the login, I get logged out with the message "OAuth: An error occured during the request to the oauth provider: [HTTP 401]".

As far as I understand, this plugin is checking at some point whether the access token is still valid, or, if it is not, tries to get a new one using a refresh token.

This is what I found in the OIDC spec:

Access Tokens might not be revocable by the Authorization Server. Access Token lifetimes SHOULD therefore be kept to single use or very short lifetimes.

If ongoing access to the UserInfo Endpoint or other Protected Resources is required, a Refresh Token can be used. The Client can then exchange the Refresh Token at the Token Endpoint for a fresh short-lived Access Token that can be used to access the resource.

If I understand the spec correctly, the access token should only be used to fetch user info or other protected data. There is no mention that the client session should expire with the access token. So I think this is a bug.

xi avatar Jan 10 '25 14:01 xi

Same here. As this plugin is for authentication is should follow the OIDC spec. To check for successfull authentication the id_token must be used. After that the access_token can be used to retrieve additional information about the user from the userinfo endpoint (the protected ressource). This is often not necessary because the id_token already contains it (userid, username, email).

Regarding the session expiration. The lifetime of the application session is not related to the expiration of the token, as noted in https://openid.net/specs/openid-connect-core-1_0.html#IDToken:

NOTE: The ID Token expiration time is unrelated [to] the lifetime of the authenticated session between the RP and the OP.

See also https://stackoverflow.com/questions/25686484/what-is-intent-of-id-token-expiry-time-in-openid-connect.

The application can essential throw away both token after validating them and rely on its own session cookie as it would with a normal password login.

NomAnor avatar Feb 12 '25 22:02 NomAnor

+1 for this, I am getting logged out all the time after I switched to oauth based login.

Just using the token once and setting Dokuwikis own token would solve this, I think.

Edit to add partial output from my KeyCloak server showing what happens.

... type="REFRESH_TOKEN_ERROR", ... , error="invalid_token", reason="Token is not active", grant_type="refresh_token", client_auth_method="client-secret"

FlyveHest avatar Nov 20 '25 19:11 FlyveHest

I believe this issue is not in this plugin, but in dokuwiki itself: The setting auth_security_timeout is used to recheck credentials after some amount of time. This allows to log out users when their account has been deactivated in the identity provider. But it is not something that is supported by most authentication schemes.

xi avatar Nov 21 '25 07:11 xi

The plugin already uses a refresh token to refresh the access token when needed. I'm using this plugin with Google oAuth and am basically never logged out.

So it would be helpful if you folks could describe your actual setup in more detail.

What you're asking for is to authenticate once and then never recheck at the identity provider. To me that makes no sense. You're using oAuth to centralize your user management. Part of that is a central place to disable or remove a user. If the oauth plugin does not recheck expired tokens, how do you expect users to be denied access when you delete them?

splitbrain avatar Dec 01 '25 08:12 splitbrain

So it would be helpful if you folks could describe your actual setup in more detail.

I am using a selfhosted KeyCloak, and I think my "issue" is actually working as intended.

The plugin already uses a refresh token to refresh the access token when needed.

That was what I found out as well, and I think that the default expire time for a refresh token in KeyCloak is just one hour, which would cause me to be signed out a short time after signing in.

Unfortunately, KeyCloak has multiple ways of setting up the lifetime of tokens, and their docs are somewhat unclear as to what does what, but, I added the offline_scope to the KeyCloak config (which is not part of this plugin), and now I have a 30 day lifetime on my token.

FlyveHest avatar Dec 01 '25 09:12 FlyveHest

So it would be helpful if you folks could describe your actual setup in more detail.

I use a OIDC compliant authorization server that does not issue refresh tokens.

In OIDC, only the ID token is used for authentication. There is also an OAuth access token (and optionally a refresh token) to access additional resources. I cannot find a direct quote from the spec, but I am pretty sure that the user session should not expire when any of these tokens expire.

What you're asking for is to authenticate once and then never recheck at the identity provider

Yes, AFAIU that is what the spec requires. I am not saying that it doesn't have downsides. I am just saying this plugin is not spec compliant, which is unexpected. This should at least be documented.

Edit: I guess the spec-compliant way to do this would be to do the whole authorization dance again. Ideally, the user would still have a session at the authorization server and would only notice a couple of redirects.

Another alternative would be to change the error message. People might set auth_security_timeout to something like 24h and require manual re-authentication after that. In that case, "OAuth: An error occured during the request to the oauth provider: [HTTP 401]" is very technical and not very helpful to users. Maybe something like "your session has expired" would be better.

xi avatar Dec 01 '25 09:12 xi

This should at least be documented.

agreed. please update the docs as you see fit.

splitbrain avatar Dec 01 '25 11:12 splitbrain