Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refreshing Behavior is under-defined for OIDC provider #36

Closed
brianv0 opened this issue Feb 1, 2019 · 1 comment
Closed

Refreshing Behavior is under-defined for OIDC provider #36

brianv0 opened this issue Feb 1, 2019 · 1 comment
Labels
Stale

Comments

@brianv0
Copy link
Contributor

brianv0 commented Feb 1, 2019

The refresh behavior isn't clear with respect to how cookie_refresh affects tokens. Maybe the problem is the overloading of the word "refresh" in this case, but I'm not sure.

The documentation says:

It's recommended to refresh sessions on a short interval (1h) with cookie-refresh setting which validates that the account is still authorized.

This sounds like there's some sort of forced interaction with an identity provider to verify authorization. In the OAuth2 case, this sounds a lot like access tokens are supposed to be used to verify a user's info by testing to see if the access token is still authorized. I'm not sure what it means in the OIDC case.

In reality, all cookie_refresh seems to do is write out a new cookie the user agent (new cookie expiry, new signature) via SaveSession.

Secondly, the refresh for the OIDC provider is not based on the expiration of the identity token.

Expected Behavior

For sure, the ID Token's expiration, not the access token's expiration, should be used to determine when to refresh the tokens.

I'm not sure what cookie_refresh should mean, acquire new ID tokens?

Current Behavior

ValidateSessionState relies on the IdToken being valid, including the IdToken being valid, but the expiry is derived from in the oauth2 token response via the expires_in object, which is the lifetime of the access token, which I think can be a different time than the expiration of the ID token (though you think a reasonable provider would keep access token and id token lifetimes the same - but I can't verify that is the case).

CookieRefresh doesn't actually force a refresh of the tokens in the proxy (e.g. using the refresh token to acquire a new ID token) when the period has passed. It does generate a new valid with an extended expiration (and of course, signs it).

Context

My ID tokens expire every 15 minutes. I was hoping I could use cookie_refresh to acquire new ID tokens every 10 minutes, guaranteeing that, when passing the token downstream, that the ID token is still valid for at least 5 minutes.

It seems like my expires_in and exp are not the same values with my identity provider, with my access_tokens expiring after my identity tokens, though I'm having trouble verifying. This causes ValidateSessionState to fail because RefreshSessionIfNeeded doesn't think the token needs refreshing.

Your Environment

It seems like my expires_in and exp are not the same values with my identity provider, with my access_tokens expiring after my identity tokens, though I'm having trouble verifying.
@github-actions
Copy link
Contributor

github-actions bot commented Mar 8, 2020

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

@github-actions github-actions bot added the Stale label Mar 8, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brianv0