New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refresh token not available after initial login. #2574
Comments
The current design is that we take whatever the IdP returns and store it. So that means this is working how I expect. We could optionally keep the previous value of the current login response doesn't return a refresh token. The potential issue here is that we would just have to guess that the reason the IdP doesn't return a refresh token is because it thinks the prior one is still valid (assuming that is why Google is not retuning it on the second login - because the current session is still active). Maybe this is a safe assumption? It just means we may hold onto old tokens unknowingly. |
@robotdan @mark-robustelli I am confused. As a user of FusionAuth, I supposed to call Google to get the access token using the refresh token that is initially returned? I know that's how OAuth works but I was under the impression that fusionauth was handling much of the heavy lifting. |
To be clear all I need is the access token so I can call Google API's and I need that to be refreshed somehow. The token that comes back from |
@jschatz1 From https://fusionauth.io/docs/apis/identity-providers/openid-connect
It varies based on the identity provider, but is documented in the API. We should continue the support questions on the forum post, because this issue is for the bug that you uncovered (thank you!), not for support. |
@robotdan I agree that this is "working as designed" but it seems to me that nulling out an existing refresh token is not exactly behavior that the user will expect or desire. I think it is reasonable to think of the token field as remaining present. I think there are two options:
the latter feels more in keeping with the documentation:
Since the refresh token is not provided in the second login above, as Mark's screenshots show, we shouldn't update it. Basically, we should test if we get back a refresh token. |
Honestly @mooreds if it was clearer that the The API for the Link API does not re mention that this is a refresh token and instead it says it is an opaque token. |
Thanks for the feedback @jschatz1 . I'll take a look at the documentation and see if it can be made clearer. |
Pinging to see if there has been any further movement on this issue. Has anything been prioritized or investigated further, or is just a matter of updating the docs for clarity? |
@Noblebrown at this point, this is not in plan. The documentation may be clarified, but I don't expect any changes to the OIDC behavior. |
Refresh token not available after initial login.
Description
When using Google Login, the refesh token is not always available in the Access Token Response. It is available the first time the user logs into the application but not in subsequent logins. This was discovered in this this community thread.
Affects versions
Currently tested with 1.48.1
Steps to reproduce
Steps to reproduce the behavior:
Create an Application and enable debugging. I used fusionauth-quickstart-dotnet-web as a base.
Set up the application in Google
Create and Open ID Connect Identity Provider and enable if for the application
Login to the application using the Open ID Connect button.
Choose your Google account.
Consent to access.
View the debug log and you can view the refresh token
Logout of Application.
Log back into Application using the Open ID Connect button.
Look at the logs and see there is now no refresh token.
Log out.
Go into the Google account you are using to test with and remove all connections with the test application.
Go to web application and login again using Open Id Connect Button.
View the logs and see the refresh token again.
Expected behavior
I expect the refresh token to be available every time the user logs in.
Platform
(Please complete the following information)
Community guidelines
All issues filed in this repository must abide by the FusionAuth community guidelines.
Additional context
N/A
The text was updated successfully, but these errors were encountered: