Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: refresh grant improperly handles new refresh_token #10233

Closed
3 tasks done
takuy opened this issue Dec 2, 2021 · 1 comment · Fixed by #10301
Closed
3 tasks done

OIDC: refresh grant improperly handles new refresh_token #10233

takuy opened this issue Dec 2, 2021 · 1 comment · Fixed by #10301
Labels
🍰 Bug

Comments

@takuy
Copy link

takuy commented Dec 2, 2021

Preflight Checklist

Describe the Bug

When using an OIDC provider that provides a new refresh_token on a refresh grant flow, the old refresh_token is invalidated. Directus should be able to handle this by storing the new refresh_token in place of the existing refresh_token.

See discussion #10148 for further details.

To Reproduce

Use an OIDC provider that provides a new refresh_token and new access_token on a refresh grant.
See discussion #10148 for further details.

Errors Shown

Directus simply says the refresh_token is invalid. Server side logs:

Dec 01 01:07:51 simplesamlphp DEBUG [21cd28ea1b] Token Request: {"grant_type":"authorization_code","code":"<snip>","redirect_uri":"http:\/\/mydomain.com\/directus\/auth\/login\/sso\/callback","code_verifier":"<snip>"}
Dec 01 01:07:51 simplesamlphp DEBUG [21cd28ea1b] Token Response: {"id_token":"<snip>","token_type":"Bearer","expires_in":3600,"access_token":"<snip>","refresh_token":"<refreshtoken1>"}
Dec 01 01:07:51 simplesamlphp DEBUG [61a0e80b4b] Token Request: {"grant_type":"refresh_token","refresh_token":"<refreshtoken1>"}
Dec 01 01:07:51 simplesamlphp DEBUG [61a0e80b4b] Token Response: {"id_token":"<new id token>","token_type":"Bearer","expires_in":3600,"access_token":"<new access token>","refresh_token":"<refreshtoken2>"}
Dec 01 01:07:52 simplesamlphp DEBUG [105214b31c] Token Request: {"grant_type":"refresh_token","refresh_token":"<refreshtoken1>"}
Dec 01 01:07:52 simplesamlphp ERROR [105214b31c] SimpleSAML\Module\oidc\Server\Exceptions\OidcServerException: The refresh token is invalid.

What version of Directus are you using?

9.1.2

What version of Node.js are you using?

Whatever comes with the Docker container

What database are you using?

MariaDB 10.4

What browser are you using?

Chrome

What operating system are you using?

RHEL 7

How are you deploying Directus?

Docker
@aidenfoxx
Copy link
Contributor

This affects a minority of providers. Will have a PR to handle this tomorrow.

@aidenfoxx aidenfoxx mentioned this issue Dec 4, 2021
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Feb 3, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
🍰 Bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SSO fixes and improvements
3 participants
@takuy @aidenfoxx @rijkvanzanten