oauth2-proxy icon indicating copy to clipboard operation
oauth2-proxy copied to clipboard

Published 20 hours ago verified publisher icon oauth2-proxy

Issue 1836: Fix expired OIDC tokens

Open miguelborges99 opened this issue 1 year ago • 11 comments

Fix expired OIDC tokens

Description

Check IDToken expiration time, to see if token must be refreshed. Do not rely only in session age.

Motivation and Context

Fix issue #1836

How Has This Been Tested?

Tested with real environment (see #1836)

Checklist:

  • [x] My change requires a change to the documentation or CHANGELOG.
  • [x] I have updated the documentation/CHANGELOG accordingly.
  • [x] I have created a feature (non-master) branch for my PR.

miguelborges99 avatar Dec 31 '22 20:12 miguelborges99

Can we review this one!?

ghost avatar Jan 25 '23 18:01 ghost

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

github-actions[bot] avatar Aug 13 '23 00:08 github-actions[bot]

Hi @miguelborges99 thank you for all the work you have already put into this and the other 7 Pull Request :)

I'll do my best to review your currently open ones in the upcoming days!

tuunit avatar Sep 09 '23 09:09 tuunit

Unfortunately, I became aware of the fact that not all OIDC providers provide a new id_token with a refresh as it is not enforced in the oidc specification. I'll have to do some further analysis on the follow PR: https://github.com/oauth2-proxy/oauth2-proxy/pull/1933

Before we can continue with this PR as your logic might cause an endless loop of trying to do a refresh with some IDPs like Ping ID

tuunit avatar Sep 09 '23 21:09 tuunit

@miguelborges99 can you change your PR description to include Fixes #1836 to properly link the PR with the issue (and autoclosing the issue once the PR gets merged)?

kvanzuijlen avatar Oct 25 '23 17:10 kvanzuijlen

@tuunit any chance to review this one ? the issue is still present on v7.5.1

mohsek avatar Oct 30 '23 16:10 mohsek

Unfortunately, I became aware of the fact that not all OIDC providers provide a new id_token with a refresh as it is not enforced in the oidc specification. I'll have to do some further analysis on the follow PR: #1933

Before we can continue with this PR as your logic might cause an endless loop of trying to do a refresh with some IDPs like Ping ID

Maybe someone with this scenario could test this PR. Unfortunately, I do not such scenario.

miguelborges99 avatar Nov 18 '23 12:11 miguelborges99

any chance this could be revisited and considered to be merged? If there is only one provider that has the issue with it maybe this could be gated with opt in parameter?

at the moment the only way to workaround this is to set refresh cookie to the same value as the token expiration so when session expires the token expires too. Though this is usually 1 hour and leaves us with not such a great user experience.

any thoughts or suggestions?

mswiderski avatar Nov 28 '23 14:11 mswiderski

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

github-actions[bot] avatar Jan 29 '24 00:01 github-actions[bot]

re-activate

mswiderski avatar Jan 29 '24 07:01 mswiderski

are there any plans for this to be looked into?

mswiderski avatar Jan 29 '24 07:01 mswiderski

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

github-actions[bot] avatar Mar 31 '24 00:03 github-actions[bot]