oauth2-proxy
oauth2-proxy copied to clipboard
Issue 1836: Fix expired OIDC tokens
Fix expired OIDC tokens
Description
Check IDToken expiration time, to see if token must be refreshed. Do not rely only in session age.
Motivation and Context
Fix issue #1836
How Has This Been Tested?
Tested with real environment (see #1836)
Checklist:
- [x] My change requires a change to the documentation or CHANGELOG.
- [x] I have updated the documentation/CHANGELOG accordingly.
- [x] I have created a feature (non-master) branch for my PR.
Can we review this one!?
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.
Hi @miguelborges99 thank you for all the work you have already put into this and the other 7 Pull Request :)
I'll do my best to review your currently open ones in the upcoming days!
Unfortunately, I became aware of the fact that not all OIDC providers provide a new id_token
with a refresh as it is not enforced in the oidc specification. I'll have to do some further analysis on the follow PR: https://github.com/oauth2-proxy/oauth2-proxy/pull/1933
Before we can continue with this PR as your logic might cause an endless loop of trying to do a refresh with some IDPs like Ping ID
@miguelborges99 can you change your PR description to include Fixes #1836
to properly link the PR with the issue (and autoclosing the issue once the PR gets merged)?
@tuunit any chance to review this one ? the issue is still present on v7.5.1
Unfortunately, I became aware of the fact that not all OIDC providers provide a new
id_token
with a refresh as it is not enforced in the oidc specification. I'll have to do some further analysis on the follow PR: #1933Before we can continue with this PR as your logic might cause an endless loop of trying to do a refresh with some IDPs like Ping ID
Maybe someone with this scenario could test this PR. Unfortunately, I do not such scenario.
any chance this could be revisited and considered to be merged? If there is only one provider that has the issue with it maybe this could be gated with opt in parameter?
at the moment the only way to workaround this is to set refresh cookie to the same value as the token expiration so when session expires the token expires too. Though this is usually 1 hour and leaves us with not such a great user experience.
any thoughts or suggestions?
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.
re-activate
are there any plans for this to be looked into?
This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.