Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Custom Oauth does not register the refreshToken nor respect the accessToken lifetime. #13693

Closed
ear-dev opened this issue Mar 13, 2019 · 1 comment · Fixed by #14121
Closed

[BUG] Custom Oauth does not register the refreshToken nor respect the accessToken lifetime. #13693

ear-dev opened this issue Mar 13, 2019 · 1 comment · Fixed by #14121
Labels
feat: oauth / sso type: bug

Comments

@ear-dev
Copy link
Contributor

ear-dev commented Mar 13, 2019
edited

Description:

  • Custom Oauth implementation does include the refreshToken in it's call to registerService(), as seen here
  • RocketChat server seems to be handling the session lifetime on it's own, as opposed to respecting the accessToken lifetime, using the refreshToken to update the accessToken, and forcing the user to re-login in the case that they have both expired.

Steps to reproduce:

  1. Login with a customOauth provider and you will find that you can remain logged in to the server forever, unless you purposefully logout. This includes when the client app (in our case android) is closed and reopened on the device. Basically, the call to isAuthenticated() always comes back 'true', unless you have purposefully logged out at some point.

Expected behavior:

  • I would expect that the server should respect the accessToken lifetime (in our case 2 hours).
  • When a client opens a new session, if the accessToken has expired, the RC server should request a new access token from the Oauth provider, using the refreshToken (in our case the refreshToken has a lifetime of 30 days).
  • The RC server would then receive both a new accessToken and refreshToken in the response, which should be re-registered with the service.

Actual behavior:

  • Once logged in, a client can remain logged in forever, no matter the state of the accessToken or the refreshToken.
@ralfbecker ralfbecker mentioned this issue Apr 12, 2019
Merged
rodrigok pushed a commit that referenced this issue Apr 16, 2019
@ralfbecker @rodrigok
[FIX] Custom Oauth store refresh and id tokens with expiresIn (#14121)
b643dcb 
* Fix #13693 Custom Oauth does not register the refreshToken nor respect the accessToken lifetime

* Update app/custom-oauth/server/custom_oauth_server.js

Co-Authored-By: ralfbecker <rb@egroupware.org>

* Update app/custom-oauth/server/custom_oauth_server.js

Co-Authored-By: ralfbecker <rb@egroupware.org>

* Update app/custom-oauth/server/custom_oauth_server.js

Co-Authored-By: ralfbecker <rb@egroupware.org>

* Update custom_oauth_server.js
@emikolajczak
Copy link

Hi,
We have configured Oauth via KeyCloak to Rocket.Chat and observing that
"RocketChat server seems to be handling the session lifetime on it's own, as opposed to respecting the accessToken lifetime, using the refreshToken to update the accessToken, and forcing the user to re-login in the case that they have both expired."

Our version of Rocket.Chat is 3.6.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feat: oauth / sso type: bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[FIX] Custom Oauth store refresh and id tokens with expiresIn
3 participants
@geekgonecrazy @ear-dev @emikolajczak