Expired tokens do not get redirected to logout #39
Assignees
Comments
|
Thanks for reporting! I'll have a look. |
abompard
added a commit
to abompard/flask-oidc
that referenced
this issue
Oct 9, 2023
…n URL Fixes: fedora-infra#39 Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
|
Thanks for the investigation, it made fixing much easier. I'll release a new version with the fix today. |
abompard
added a commit
that referenced
this issue
Oct 9, 2023
…n URL Fixes: #39 Signed-off-by: Aurélien Bompard <aurelien@bompard.org>
|
Included in release Version 2.1.0. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello, I think we have identified a bug here in the latest version of flask-oidc. Several engineers noticed they were not presented with the login screen in our application after we upgraded to 2.0.3 and well-beyond their token expire time. After running it down I think there is a bug in this commit - https://github.com/fedora-infra/flask-oidc/pull/23/files#diff-ba9e98878e9cf879d9dc4f97d637849d516a4ddaf4d27c3409a2b05250ba992bR205
It attempts to refresh the token, expecting an exception to be thrown if it's no longer valid. However, the library will instead return None if there is no token to refresh - https://github.com/lepture/authlib/blob/a6e89f8e6cf6f6bebd63dcdc2665b7d22cf0fde3/authlib/oauth2/client.py#L260
I validated this by hooking into the authlib library to pull my token, editing the expire time to be in the past, and then passing it to this library's ensure_active_token call.
This in turn makes the check_token_expiry call in the before_request handler not return a redirect, and allows users through because their old (expired) session exists, passing the require_login decorator.
The impact of this is being able to access anything behind the require_login decorator far past the token expire time, up until the cookie gets cleared in the browser
The text was updated successfully, but these errors were encountered: