OAuth 2 proxy OIDC provider does not respect cookie-refresh

[BaesKevin]

OAuth 2 proxy never initiates a login after the cookie has expired

Expected Behavior

oauth 2 proxy should initate a login flow flow after --cookie-refresh time has passed

Current Behavior

oauth 2 proxy never initiates the login based on the cookie-refresh value, it's only after a refresh of the access token fails, that it initiates a login

Steps to Reproduce

Setup:
oauth2 proxy: OIDC provider for Keycloak

• cookie-refresh = 30s
• cookie-expire = 1m30s

The oauth2 proxy is configured to serve some static file for a mock backend.
We were constantly refreshing our browser to perform the test.

The Keycloak configuration is irrelevant as oauth2-proxy only cares about the cookie.

Context

In our real world setup, we have a Keycloak setup where the access token lifetime is 5m, and the refresh token lifetime is 10h.

This is my understanding of how oauth2 proxy works

• the --cookie-refresh parameter controls after how long oauth2-proxy will request a new access token using the refresh token
• the --cookie-expire parameter controls after how long oauth2-proxy will invalidate its cookie, thus invalidating both refresh and access token and requiring a user login

With this information, we set --cookie-refresh to 4m30s, and --cookie-expire to 9h54m, because in our understanding this
should make it so the oauth2 proxy never forwards tokens that are about to expire.

This does not seem to be the case as we still see users reaching our backend with expired tokens.

Your Environment

• Version used: 7.3.0

[cazpr]

I'm not an expert on how the oauth2-proxy works, but after taking a look at the sources it looks like the --cookie-expire option simply controls the Expires attribute of the session state cookie.

Each time the session is refreshed, the proxy sets a new cookie with the same fixed expiration.

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[wvdhaute]

+1

[miguelborges99]

Logs could help to diagnose the supposed problem.

[rbange]

I am using the plain oidc provider with a cookie refresh of 10 minutes and and expire of 24 hours.

The proxy is refreshing the session, however no new cookie is provided to the browser and therefore the session is invalided at the expiration of the id token around the 15 minutes mark:

[2023/02/22 12:52:02] [stored_session.go:189] Refreshing session - User: MYUSERNAME; SessionAge: 12m26.807988186s
172.20.6.13:46044 - 5e0111668f1fdbd453610054dc53d46d - MYUSERNAME [2023/02/22 12:52:02] mydomain.com GET - "/oauth2/auth" HTTP/1.1 "MYUSERAGENT" 202 0 0.001
[2023/02/22 12:52:03] [stored_session.go:189] Refreshing session - User: MYUSERNAME; SessionAge: 12m27.807988186s
172.20.6.13:46044 - 203314dd2a6999ad4c036b09afac6156 - MYUSERNAME [2023/02/22 12:52:03] mydomain.com GET - "/oauth2/auth" HTTP/1.1 "MYUSERAGENT" 202 0 0.001
[2023/02/22 12:55:47] [stored_session.go:189] Refreshing session - User: MYUSERNAME; SessionAge: 16m11.807988186s
[2023/02/22 12:55:47] [oidc.go:94] id_token verification failed: failed to verify token: oidc: token is expired (Token Expiry: 2023-02-22 12:54:35 +0000 UTC)
[2023/02/22 12:55:47] [stored_session.go:94] Error loading cookied session: error refreshing access token for session (Session{email:MYUSERNAME user:MYUSERNAME PreferredUsername: token:true id_token:true created:2023-02-22 12:39:35.192011814 +0000 UTC expires:2023-02-22 13:09:34.151439211 +0000 UTC groups:[MYGROUPS]}): session is invalid, removing session
172.20.6.13:51490 - 8f90ddf84959578f4cf733fb2d82cd8f - - [2023/02/22 12:55:47] mydomain.com GET - "/oauth2/auth" HTTP/1.1 "MYUSERAGENT" 401 13 0.001
172.20.6.13:51490 - c398c118f51c013217fe8860eabba5ac - - [2023/02/22 12:55:47] mydomain.com GET - "/oauth2/start?rd=%2Fheaders%2F" HTTP/1.1 "MYUSERAGENT" 302 429 0.000

If the /oauth2/auth endpoint does not provide the refreshed cookie, which endpoint does?

[JoelSpeed]

If the /oauth2/auth endpoint does not provide the refreshed cookie, which endpoint does?

It should be providing it, can you manually inspect the /oauth2/auth request to check if it is, at all sending the set-cookie header so we can determine if a bug has creeped in, or if there is some environmental specific factor there

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[wvdhaute]

This issue is still relevant for us

[bijay007]

The expiry of the cookie in the oauth2 proxy config for keycloak should be more than the SSO session max value in keycloak (Realm settings.

[carillonator]

UPDATE: Apologies, this was my fault and not an oauth2proxy issue. I am using oauth2proxy through envoy's external authorization, and failed to allow set-cookie in successful ext_authz responses (allowed_client_headers_on_success)

This is still an issue:

• A normal request is made -- i.e. not to an /oauth2/* endpoint
• After --cookie-refresh time has passed
• The cookie contains an expired access token, but still valid refresh token
• oauth2proxy logs show the session is being refreshed
• The IdP (keycloak) shows a successful refresh
• oauth2proxy responds 200, but without set-cookie
• Subsequent requests continue to trigger oauth2proxy to refresh again and again

[stored_session.go:189] Refreshing session - User: 8da1d67f-31ba-4f18-a8bf-4c9e8ffc391c; SessionAge: 1h6m19.210880148s
127.0.0.1 - 1e17fd39-9a3d-98e2-bf06-49b184750aef - me@me.com [2024/09/12 13:21:59] myapp.com GET / "/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...

[ericproulx]

UPDATE: Apologies, this was my fault and not an oauth2proxy issue. I am using oauth2proxy through envoy's external authorization, and failed to allow set-cookie in successful ext_authz responses (allowed_client_headers_on_success)

This is still an issue:

* A normal request is made -- i.e. not to an /oauth2/* endpoint

* After `--cookie-refresh` time has passed

* The cookie contains an expired access token, but still valid refresh token

* oauth2proxy logs show the session is being refreshed

* The IdP (keycloak) shows a successful refresh

* oauth2proxy responds 200, but **without `set-cookie`**

* Subsequent requests continue to trigger oauth2proxy to refresh again and again

[stored_session.go:189] Refreshing session - User: 8da1d67f-31ba-4f18-a8bf-4c9e8ffc391c; SessionAge: 1h6m19.210880148s
127.0.0.1 - 1e17fd39-9a3d-98e2-bf06-49b184750aef - me@me.com [2024/09/12 13:21:59] myapp.com GET / "/" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) ...

Got the same issue