[Feature]: auto refresh token

[devildant]

Motivation

Good morning,
I've seen a lot of topics on refresh tokens that are left to die :(
Is it planned to provide a solution to refresh the token before expiration?

for my part I use an sso server (synology) where the token expires after 3 minutes (and I cannot change this), so every 3 minutes my users are forced to re-connect ( the sso is still connected to it, it's just oauth-proxy which deletes its cookies because the id_token has expired)

pr:
#1955
#2344
#2431

subject:
#1942
....

Possible solution

No response

Provider

oidc

[code-and-such]

After reading the tickets involved I must confess I do not really understand whether token refresh is completely broken, or it's just some aspect of it that do not work properly/according to spec. I assume the latter

We do have problems with our Cognito/Oauth2-proxy setup, and I thought it might have had to do with this, but it might as well be misaligned cookie expire/refresh values, which we now modified (and we are now waiting for user feedback)

But it would be nice to get some kind of clarification if token refreshing works in most cases?

[xXluki98Xx]

Hi, I had the same/similar Problem.
I am using Zitadel as IdP and want Oauth2Proxy as Middleware.

tl;dr: The Session Refresh Handling seems to be broken if you use only cookie. I added Redis for session handling and it works.

But I am not sure if its a solution for your situation.

[devildant]

Hi, I had the same/similar Problem.

I am using Zitadel as IdP and want Oauth2Proxy as Middleware.

tl;dr: The Session Refresh Handling seems to be broken if you use only cookie. I added Redis for session handling and it works.

But I am not sure if its a solution for your situation.

Interesting, could you tell me more? you mount a docker container redis that you have link to oauth2_proxy? Do you have an example configuration? ;)

[xXluki98Xx]

sure:

please note that is using the keydb, but i found that it does currently not run on amd cpus.

compose.yml:

...
oauth-cache:
    # image: redis:6.2-alpine
    image: eqalpha/keydb:latest
    restart: always
    networks:
        - localdev
    ports:
        - '6379:6379'
    command:
        - keydb-server
        - --save 20 1
        - --loglevel warning

oauth2proxy:
    image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1
    restart: unless-stopped
    networks:
        - localdev
    depends_on:
        - oauth-cache
    ports:
        - 4180:4180
    volumes:
        - ./oauth2proxy.config:/etc/config.cfg
    command: >
        --config "/etc/config.cfg"

oauth2proxy.config:

  ...
  # session handling
  session_store_type="redis"
  redis_connection_url = "redis://oauth-cache:6379/0"
  cookie_refresh = "30m"
  cookie_expire = "24h"

[devildant]

sure:

please note that is using the keydb, but i found that it does currently not run on amd cpus.

compose.yml:

...

oauth-cache:

    # image: redis:6.2-alpine

    image: eqalpha/keydb:latest

    restart: always

    networks:

        - localdev

    ports:

        - '6379:6379'

    command:

        - keydb-server

        - --save 20 1

        - --loglevel warning



oauth2proxy:

    image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1

    restart: unless-stopped

    networks:

        - localdev

    depends_on:

        - oauth-cache

    ports:

        - 4180:4180

    volumes:

        - ./oauth2proxy.config:/etc/config.cfg

    command: >

        --config "/etc/config.cfg"

oauth2proxy.config:

  ...

  # session handling

  session_store_type="redis"

  redis_connection_url = "redis://oauth-cache:6379/0"

  cookie_refresh = "30m"

  cookie_expire = "24h"

perfect, I also wanted to use keydb instead of redis, that's good :)
Thx a lot