gateway icon indicating copy to clipboard operation
gateway copied to clipboard

Published 20 hours ago verified publisher icon envoyproxy

Incorrect expiry time in RefreshToken in OIDC?

Open zetaab opened this issue 1 year ago • 2 comments

Description: Screenshot 2024-05-23 at 14 23 23

My current setup is that token lifetime is 60 minutes and refresh token lifetime is 2 days (configured in identity provider). However, with the current expiry times envoy cookie model cannot just work. Lets say that I got new tokens 10:41:13Z, everything is stored to cookies. Normal token will expiry 11:41:13Z and after that it is supposed to use refresh token to fetch new normal token. However, that is impossible because refresh token cookie was expired 11:41:13Z as well and there are no cookie anymore. RefreshToken lifetime should be longer than normal tokens. Should it be configurable?

Repro steps:

Include sample requests, environment, etc. All data and inputs required to reproduce the bug.

Note: If there are privacy concerns, sanitize the data prior to sharing.

Environment:

Include the environment like gateway version, envoy version and so on.

Logs:

Include the access logs and the Envoy logs.

zetaab avatar May 23 '24 11:05 zetaab

cc @zhaohuabing

arkodg avatar May 23 '24 21:05 arkodg

@zetaab I believe this is because the useRefreshToken option is not turned on. There is an ongoing work to address this on #3423 .

zhaohuabing avatar May 24 '24 00:05 zhaohuabing