Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC: Preserve the refresh token if no new refresh token is returned #28023

Merged
merged 1 commit into from Sep 20, 2022
Merged

OIDC: Preserve the refresh token if no new refresh token is returned #28023

merged 1 commit into from Sep 20, 2022

Conversation

sberyozkin
Copy link
Member

@sberyozkin sberyozkin commented Sep 16, 2022
edited

Fixes #27753.

As described in #27753, some providers do not recycle the tokens after the refresh grant completes, and in such cases, refreshing the sessions is not no longer possible because quarkus-oidc does not keep the original refresh token which was used to complete the first (and currently last in such cases) refresh grant request.
The right approach is to keep the original refresh token if no new refresh token has been returned in the refresh grant response. If this RT becomes expired then the provider will reject it anyway - but in this case the refresh token is cleared.

The actual fix is straightforward - just keep the current RT if the successful RT grant response has no new RT.

But I've spent nearly 2 days on creating a test - first in integration-tests/oidc-wiremock where it worked but not always due to some wiremock state issues and eventually I did it in integration-tests/oidc-tenancy where we have a test OidcResource provider endpoint.
The test emulates this flow as precisely as possible: 1) tokens are obtained using the code flow first, then, 2) after an id token expiration, the first refresh grant request is performed but it returns no new RT so the original one is kept, and finally, 3) when a new id token also expires, another RT grant it performed with OIDC server failing it and it causes a redirect for the user to reauthenticate

@quarkus-bot

This comment has been minimized.

Sign in to view
@sberyozkin
Copy link
Member Author

I think I'll have to disable this CodeFlowTest, though I'll double check it is not related to this PR

@gsmet
Copy link
Member

gsmet commented Sep 19, 2022

I think I'll have to disable this CodeFlowTest, though I'll double check it is not related to this PR

so what should we do with this PR?

@sberyozkin
Copy link
Member Author

@pedroigor Thanks for the approval,
@gsmet, I've re-tested it, this test failure is that single random test failure I've seen from Thursday which I referred to from #27900, not related to this PR, let me get another minor PR in front of this one, about to complete it, which adds more debug messages just to double check, if time allows

@sberyozkin
Copy link
Member Author

sberyozkin commented Sep 19, 2022
edited

@gsmet Can you please review and approve #28059, and then I'll refresh this PR

@sberyozkin sberyozkin mentioned this pull request Sep 19, 2022
Merged
@sberyozkin sberyozkin merged commit 49c4c6c into quarkusio:main Sep 20, 2022
@quarkus-bot quarkus-bot bot added this to the 2.14 - main milestone Sep 20, 2022
@sberyozkin sberyozkin deleted the oidc_keep_refresh_token_cookie branch September 20, 2022 09:26
@gsmet gsmet modified the milestones: 2.14 - main, 2.13.0.Final Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pedroigor pedroigor pedroigor approved these changes

Assignees
No one assigned
Labels
area/oidc kind/bugfix
Projects
None yet
Milestone
2.13.0.Final
Development

Successfully merging this pull request may close these issues.

quarkus-oidc loses a refresh token if the provider does not recycle it during the refresh token grant
3 participants
@sberyozkin @gsmet @pedroigor