You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The refresh behavior isn't clear with respect to how cookie_refresh affects tokens. Maybe the problem is the overloading of the word "refresh" in this case, but I'm not sure.
The documentation says:
It's recommended to refresh sessions on a short interval (1h) with cookie-refresh setting which validates that the account is still authorized.
This sounds like there's some sort of forced interaction with an identity provider to verify authorization. In the OAuth2 case, this sounds a lot like access tokens are supposed to be used to verify a user's info by testing to see if the access token is still authorized. I'm not sure what it means in the OIDC case.
In reality, all cookie_refresh seems to do is write out a new cookie the user agent (new cookie expiry, new signature) via SaveSession.
Secondly, the refresh for the OIDC provider is not based on the expiration of the identity token.
Expected Behavior
For sure, the ID Token's expiration, not the access token's expiration, should be used to determine when to refresh the tokens.
I'm not sure what cookie_refresh should mean, acquire new ID tokens?
Current Behavior
ValidateSessionState relies on the IdToken being valid, including the IdToken being valid, but the expiry is derived from in the oauth2 token response via the expires_in object, which is the lifetime of the access token, which I think can be a different time than the expiration of the ID token (though you think a reasonable provider would keep access token and id token lifetimes the same - but I can't verify that is the case).
CookieRefresh doesn't actually force a refresh of the tokens in the proxy (e.g. using the refresh token to acquire a new ID token) when the period has passed. It does generate a new valid with an extended expiration (and of course, signs it).
Context
My ID tokens expire every 15 minutes. I was hoping I could use cookie_refresh to acquire new ID tokens every 10 minutes, guaranteeing that, when passing the token downstream, that the ID token is still valid for at least 5 minutes.
It seems like my expires_in and exp are not the same values with my identity provider, with my access_tokens expiring after my identity tokens, though I'm having trouble verifying. This causes ValidateSessionState to fail because RefreshSessionIfNeeded doesn't think the token needs refreshing.
Your Environment
It seems like my expires_in and exp are not the same values with my identity provider, with my access_tokens expiring after my identity tokens, though I'm having trouble verifying.
The text was updated successfully, but these errors were encountered:
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.
The refresh behavior isn't clear with respect to how
cookie_refresh
affects tokens. Maybe the problem is the overloading of the word "refresh" in this case, but I'm not sure.The documentation says:
This sounds like there's some sort of forced interaction with an identity provider to verify authorization. In the OAuth2 case, this sounds a lot like access tokens are supposed to be used to verify a user's info by testing to see if the access token is still authorized. I'm not sure what it means in the OIDC case.
In reality, all
cookie_refresh
seems to do is write out a new cookie the user agent (new cookie expiry, new signature) via SaveSession.Secondly, the refresh for the OIDC provider is not based on the expiration of the identity token.
Expected Behavior
For sure, the ID Token's expiration, not the access token's expiration, should be used to determine when to refresh the tokens.
I'm not sure what
cookie_refresh
should mean, acquire new ID tokens?Current Behavior
ValidateSessionState relies on the IdToken being valid, including the IdToken being valid, but the expiry is derived from in the oauth2 token response via the
expires_in
object, which is the lifetime of the access token, which I think can be a different time than the expiration of the ID token (though you think a reasonable provider would keep access token and id token lifetimes the same - but I can't verify that is the case).CookieRefresh
doesn't actually force a refresh of the tokens in the proxy (e.g. using the refresh token to acquire a new ID token) when the period has passed. It does generate a new valid with an extended expiration (and of course, signs it).Context
My ID tokens expire every 15 minutes. I was hoping I could use
cookie_refresh
to acquire new ID tokens every 10 minutes, guaranteeing that, when passing the token downstream, that the ID token is still valid for at least 5 minutes.It seems like my
expires_in
andexp
are not the same values with my identity provider, with my access_tokens expiring after my identity tokens, though I'm having trouble verifying. This causesValidateSessionState
to fail becauseRefreshSessionIfNeeded
doesn't think the token needs refreshing.Your Environment
It seems like my
expires_in
andexp
are not the same values with my identity provider, with my access_tokens expiring after my identity tokens, though I'm having trouble verifying.The text was updated successfully, but these errors were encountered: