gloo icon indicating copy to clipboard operation
gloo copied to clipboard

Published 20 hours ago verified publisher icon solo-io

REST calls with not matching AT/IDT

Open curuvija opened this issue 2 years ago • 0 comments

Gloo Edge Version

1.11.x

Kubernetes Version

1.20.x

Describe the bug

In case of token refresh, the first REST call received on the backend gets both AT and IDT, where AT obviously does not have the proper id_hash resulting in 403. If the REST call is repeated, everything works fine again. We've tested this on Gloo version 1.9.1 and recently on Gloo version 1.11.28.

Steps to reproduce the bug

  1. Make a gloo session
  2. Hit the rest endpoint protected with token to make sure it works
  3. Wait until token expires
  4. Fire rest call again just after token expires and you'll see 403 Forbidden

Expected Behavior

We shouldn't have any failed request due to refresh token.

Additional Context

No response

curuvija avatar Sep 06 '22 13:09 curuvija