public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge 825d799002 into e27921ee80

This commit is contained in:
Michi Gysel 2025-12-01 12:22:35 +01:00 committed by GitHub
parent e27921ee80 825d799002
commit 3bbdfc32d9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 6 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
CHANGELOG.md
View File

@ -9,6 +9,7 @@
## Changes since v7.13.0
- [#3197](https://github.com/oauth2-proxy/oauth2-proxy/pull/3197) fix: NewRemoteKeySet is not using DefaultHTTPClient (@rsrdesarrollo / @tuunit)
- [#3267](https://github.com/oauth2-proxy/oauth2-proxy/pull/3267) fix: Session refresh handling in OIDC provider (@gysel)
# V7.13.0

12
providers/oidc.go
View File

@ -117,14 +117,12 @@ func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionS
// https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
// The ID Token is optional in the Refresh Token Response
// TODO: @tuunit remove dependency on refreshed flag and only rely on presence of access_token
// in accordance with the spec. For now, keep existing behavior.
if s.Refreshed {
if !validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken)) {
validateEndpointAvailable := p.Data().ValidateURL != nil && p.Data().ValidateURL.String() != ""
if validateEndpointAvailable && !validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken)) {
logger.Errorf("access_token validation failed")
return false
}
return true
}
@ -190,9 +188,8 @@ func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.Sessi
return fmt.Errorf("unable create new session state from response: %v", err)
}
// It's possible that if the refresh token isn't in the token response the
// session will not contain an id token.
// If it doesn't it's probably better to retain the old one
// It's possible that a refresh does not renew the ID Token.
// If it doesn't, it's probably better to retain the old one.
if newSession.IDToken != "" {
s.IDToken = newSession.IDToken
s.Email = newSession.Email
@ -205,6 +202,7 @@ func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.Sessi
s.RefreshToken = newSession.RefreshToken
s.CreatedAt = newSession.CreatedAt
s.ExpiresOn = newSession.ExpiresOn
s.Refreshed = newSession.Refreshed
return nil
}