oauth2-proxy icon indicating copy to clipboard operation
oauth2-proxy copied to clipboard
verified publisher icon oauth2-proxy

feat: refresh token on demand

Open cmbaatz opened this issue 1 year ago • 15 comments

Description

Adding a refresh endpoint that allows a user to refresh the JWT stored in the session without invalidating the session.

Motivation and Context

Within our application some mutable information is stored as attributes in our IDP (Keycloak). When a detail like a user's role or allowed tenants is updated we would like the ability to force the session store to refresh the JWT from our IDP in order to reflect the new values. We want to perform this operation in a way that is seamless to the user and doesn't require them to re-authenticate as this would be disruptive to their use of the application.

This issue was originally identified in issue #2019

How Has This Been Tested?

Yes,

  1. Tests were added to pkg/middleware/stored_session_test.go
  2. All existing tests were executed
  3. Code has been running in our production for 6+ months

Checklist:

  • [x] My change requires a change to the documentation or CHANGELOG.
  • [x] I have updated the documentation/CHANGELOG accordingly.
  • [x] I have created a feature (non-master) branch for my PR.
  • [x] I have written tests for my code changes.

cmbaatz avatar Jan 22 '24 19:01 cmbaatz

Is it possible to get this pull request reviewed? We find this feature extremely useful for our use case where we have data set in the JWT that may change overtime. The change allows us to force a refresh request from the IDP thereby allowing the JWT to be updated without forcing the user to reauthenticate.

cmbaatz avatar Jan 31 '24 14:01 cmbaatz

I agree with @cmbaatz, this will solve several use cases for more than one project :rocket:

ljcodigo avatar Feb 08 '24 15:02 ljcodigo

PR Is up to date after @cmbaatz merge. :)

ljcodigo avatar Feb 26 '24 13:02 ljcodigo

@JoelSpeed , @NickMeves, @tuunit , or @kvanzuijlen this my second attempt to contribute this code to the project and both times it appears that the PR is left to expire. At it's base all this code change does is expose the OIDC/Oauth2 refresh endpoint. How or why that's used by users is entirely up to their own needs from the proxy. How can I help move this PR forward?

cmbaatz avatar Feb 26 '24 13:02 cmbaatz

@JoelSpeed ? :)

ljcodigo avatar Mar 18 '24 19:03 ljcodigo

@JoelSpeed, @NickMeves, @tuunit @kvanzuijlen This PR has been waiting for review for nearly 2 months. How can I help move it up in the list of things to be reviewed?

cmbaatz avatar Mar 20 '24 12:03 cmbaatz

I'm really happy that the code review for this PR started :) thanks @JoelSpeed and @cmbaatz :)

ljcodigo avatar Apr 01 '24 13:04 ljcodigo

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

github-actions[bot] avatar Jun 04 '24 00:06 github-actions[bot]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

Please, don't die.

ljcodigo avatar Jun 04 '24 13:06 ljcodigo

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

github-actions[bot] avatar Aug 09 '24 00:08 github-actions[bot]