Skip to content

save_refresh_token may delete valid refresh_token and break refresh functionality #404

@drzraf

Description

@drzraf

Describe the bug
save_refresh_token() is called after the initial request. In our case of interest, the payload bring a request_token field (in the case of Google, this happens if access_type=offline.
Such refresh_token may not have an expiration time.

The problem is that when a refresh is requested, in ensure_tokens_still_fresh(), save_refresh_token() is called again with the new response. But the new response may not provide a new refresh_token.
Google states

Your application should store both tokens in a secure, long-lived location that is accessible between different invocations of your application.

save_refresh_token() disregard the existing and still valid refresh_token and replace it with false (since the response to a renewal does not contain it)

To Reproduce
Steps to reproduce the behavior:

  1. Use Google OIDC with refresh token
        add_filter( 'openid-connect-generic-auth-url', function( string $url ) {
            return $url . '&access_type=offline&prompt=consent';
        });
  1. Connect
  2. See from your logs that you're disconnect after 1h (the first call torefresh_token)

Expected behavior
I think Google OIDC should work out of the box

Isolating the problem (mark completed items with an [x]):

  • I have deactivated other plugins and confirmed this bug occurs when only this plugin is active.
  • This bug happens with a default WordPress theme active.
  • I can reproduce this bug consistently using the steps above.

WordPress Environment

  • PHP Version: 7.4
  • WordPress Version: 3.9
  • Plugin Version: 3.9.0
  • Identity Provider: Google
  • Relevant Plugin Settings:

Metadata

Metadata

Assignees

Labels

bugenhancementIssues & PRs related to new features.needs analysisIssues needing further investigation to the cause and/or change required.

Type

No type

Projects

Status

To do

Relationships

None yet

Development

No branches or pull requests

Issue actions