lua-resty-openidc
lua-resty-openidc copied to clipboard
zmartzone
id_token validation doesn't work when silent auth is disabled
I've observed that once silent auth is disabled (refresh_session_interval=nil) then no validation comes for id_token.
You can use it till session's end life, which can be adjusted by session_cookie_lifetime variable, even if you logout!
Environment
- lua-resty-openidc version 1.7.4
- OpenID Connect provider Azure AD
- refresh_session_interval=nil
- session storage = cookie
- token type = id_token
Expected behaviour
Once you logout and your id_token is expired (exp token field) request should be rejected/redirected to the login page.
Actual behaviour
You can use outdated id_token after logout till it's session expiration, configured by session_cookie_lifetime variable
Minimized example
local opts = {
session_contents = {id_token=true,enc_id_token=false,user=false,access_token=false}
refresh_session_interval = nil
}
Configuration and NGINX server log files
Config and logs for the minimized example, possibly provided as attachments.
I've observed that if I enable access_token=true in session_contents and add proper configuration in Azure ID then validation works fine for access token even if silent auth is disabled.
BUT if you try to logout, refresh token is still working! so your id_token with access token will be accepted after refresh with refresh token even if you previously logged out!
ID token expiration is not validated at all if access token is disabled.
[edit]
I've tried to use revoke_tokens_on_logout=true but during logout I see following message:
no revocation endpoint supplied. unable to revoke refresh token
As I see neither Keycloak or AzureAD do not provide it revocation_endpoint field in their discovery endpoints
How to make Refresh Token obsolete then?