public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix session refresh handling in OIDC provider 

- `s.Refreshed` was always `false` as the session object was not updated
- `ValidateURL` is, by default, not configured for OIDC providers. Access token validation now only happens when a validation endpoint is available.

Signed-off-by: Michael Gysel <michael.gysel@unblu.com>
This commit is contained in:
Michael Gysel 2025-11-20 09:12:25 +01:00
parent 7cf69b27fa
commit 49dcd2e4be
1 changed files with 5 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
providers/oidc.go
View File

@ -116,14 +116,12 @@ func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionS
// https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
// The ID Token is optional in the Refresh Token Response
// TODO: @tuunit remove dependency on refreshed flag and only rely on presence of access_token
// in accordance with the spec. For now, keep existing behavior.
if s.Refreshed {
if !validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken)) {
validateEndpointAvailable := p.Data().ValidateURL != nil && p.Data().ValidateURL.String() != ""
if validateEndpointAvailable && !validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken)) {
logger.Errorf("access_token validation failed")
return false
}
return true
}
@ -189,9 +187,8 @@ func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.Sessi
return fmt.Errorf("unable create new session state from response: %v", err)
}
// It's possible that if the refresh token isn't in the token response the
// session will not contain an id token.
// If it doesn't it's probably better to retain the old one
// It's possible that a refresh does not renew the ID Token.
// If it doesn't, it's probably better to retain the old one.
if newSession.IDToken != "" {
s.IDToken = newSession.IDToken
s.Email = newSession.Email
@ -204,6 +201,7 @@ func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.Sessi
s.RefreshToken = newSession.RefreshToken
s.CreatedAt = newSession.CreatedAt
s.ExpiresOn = newSession.ExpiresOn
s.Refreshed = newSession.Refreshed
return nil
}