Refactor RefreshSessionIfNeeded to RefreshSession
#856
Comments
|
Agreed, we should have the decision and logic on when to refresh centrally and then have the providers implement the refreshing. I wonder if we can interpret somehow the config so that a provider knows that is has been configured for refreshing? If so, it could expose a method |
|
Actually it looks to me that the cookie is never refreshed when the token expires, or at least is not refreshed via the Case in point - the id_token on Keycloak by default only lives 5 minutes. After five minutes with pretty much eternal cookie the id_token returned by oauth2-proxy is expired and the session does not change. |
|
FYI, I'm working on a solution, will submit today, hopefully. |
Currently when a OIDC tokens expire the session cookie is not refreshed by default resulting in proxy providing a useless stale token.
The cookie_refresh mode that is based on TTL is largely useless as that TTL needs to be synchronized with settings in OIDC provider, which also makes it largely unusable.
Thus, an additional automatic cookie refresh mode is added as follows:
cookie_refresh = -1
cookie_refresh_grace_pcnt = 85
When cookie_refresh is set to -1 (default is still 0 for disabled to preserve backwards compatibility) every cookie refresh will undergo a check through the provider to see if the cookie needs to be refreshed based on token expiry. The refresh grace percentage (default to 100%) is then used to determine when to set the expiry. The grace percentage of 100% means that the token/cookie will be refreshed at 100% of the expiration period. As in the example above setting it to any other number X between 1 - 99 will refresh the token after X% of the token lifetime has expired.
As an additional piece of logic, the expiry time for OIDC provider is now set to the earliest of ID Token and Access Token expiration.
A bonus fix - when selecting a provider, the choice is now printed and a warning is issued if provider name is not recognized (I got burned by this personally not realizing "openidc" is not "oidc" and there would be a default to "google").
Lastly, architecturally, the APIs for providers now carry ProxyState as a parameter, granting providers access to relevant common configuration. I only threw there what I needed for this.
fixes oauth2-proxy#856
Currently when a OIDC tokens expire the session cookie is not refreshed by default resulting in proxy providing a useless stale token.
The cookie_refresh mode that is based on TTL is largely useless as that TTL needs to be synchronized with settings in OIDC provider, which also makes it largely unusable.
Thus, an additional automatic cookie refresh mode is added as follows:
cookie_refresh = -1
cookie_refresh_grace_pcnt = 85
When cookie_refresh is set to -1 (default is still 0 for disabled to preserve backwards compatibility) every cookie refresh will undergo a check through the provider to see if the cookie needs to be refreshed based on token expiry. The refresh grace percentage (default to 100%) is then used to determine when to set the expiry. The grace percentage of 100% means that the token/cookie will be refreshed at 100% of the expiration period. As in the example above setting it to any other number X between 1 - 99 will refresh the token after X% of the token lifetime has expired.
As an additional piece of logic, the expiry time for OIDC provider is now set to the earliest of ID Token and Access Token expiration.
A bonus fix - when selecting a provider, the choice is now printed and a warning is issued if provider name is not recognized (I got burned by this personally not realizing "openidc" is not "oidc" and there would be a default to "google").
Lastly, architecturally, the APIs for providers now carry ProxyState as a parameter, granting providers access to relevant common configuration. I only threw there what I needed for this.
fixes oauth2-proxy#856
For RFC only fixes oauth2-proxy#856
For RFC only fixes oauth2-proxy#856
For RFC only fixes oauth2-proxy#856
For RFC only fixes oauth2-proxy#856
For RFC only fixes oauth2-proxy#856
|
Have been bitten by this. Currently trying out #915 and it seems to be working for my needs so far. Cheers @arcivanov ! |
For RFC only fixes oauth2-proxy#856
For RFC only fixes oauth2-proxy#856
|
So in looking over #946 I think I caught a very subtle but very dangerous interaction between RefreshSession & ValidateSession that might cause nasty bugs in the future: #946 (comment) I'm thinking it might be prudent for us to completely decouple the Refresh & Validate into two separate timers that users can controls as they wish ( |
|
Related - I think the decoupled manner we manage the underlying session fields (via public fields across disparate middleware & provider implementations) is ripe for confusion and bugs. We've seen many times where contributors add refresh logic to a provider and don't manage the time settings properly. So I think we should refactor these to being owned by the Something like this: To help centralize the disparate logic between individual providers and here: oauth2-proxy/pkg/middleware/stored_session.go Line 115 in d67d6e3 AND For this: oauth2-proxy/pkg/middleware/stored_session.go Line 158 in d67d6e3 |
For RFC only fixes oauth2-proxy#856
|
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
|
This issue is still relevant for me! |
|
A quick and dirty but at least minimal invasive hack that also refreshes the OIDC Token 30s before expiration. Forked from 2021-04-03 master: |
|
@NickMeves any news about this? |
|
I have a draft PR started, but I will be slow. Job commitments at the moment are drastically limiting the time I have to work on OAuth2 Proxy. |
|
@NickMeves thanks anyway! ❤️ |
|
@NickMeves Thank you for your replies. Is this issue still on track? |
|
I plan to dive back into this draft and reassess this weekend or next: #1086 We merged a prereq I wanted to get in place for this refactor to manage time throughout our codebase in a more streamlined way, so it shouldn't have any blockers besides me getting back into the flow of OAuth2 Proxy now that I'm onboarded at my new job. |
|
This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed. |
|
This issue is still relevant to us. |
|
@gysel the PR #1086 is merged in master since June. @NickMeves make sense for you to close this issue? |
|
Fixed in #1086 |
Currently, when we are passed the
cookie-refreshTTL, we only refresh the session if the Access or ID Token is expired (depending on which the provider uses for theExpiresOnfield).This leads to a lot of issues on the border of the expiration - where a session might for a split second be valid and pass at the proxy layer, and pass an Access or ID Token to the upstream that will be expired by the time it gets there.
We should support opportunistic ability to refresh tokens/sessions ahead of expiration (E.g. 80% of token lifespan).
Expected Behavior
Our
RefreshSessionsprovider methods make no judgments on when to refresh. They will refresh if called.This gives more control to the end user to set the time appropriately with
cookie-refresh.Current Behavior
Sessions only refresh if they are already expired.
Possible Solution
This logic throughout providers ditches the
ExpiresOnchecks:if s == nil || (s.ExpiresOn != nil && s.ExpiresOn.After(time.Now())) || s.RefreshToken == "" {This global manager that handles this at the middleware level will also need to change:
https://github.com/oauth2-proxy/oauth2-proxy/blob/3fa42edb7350219d317c4bd47faf5da6192dc70f/pkg/middleware/stored_session.go
I lean toward if we want any logic about only at 80% of greater of the life of a session, we do that in
stored_session.go(as a safety precaution for people setting overeager refresh times that result in refresh requests every request).The text was updated successfully, but these errors were encountered: