From 49dcd2e4bef75489d9fe34f913ff2109179f9bf9 Mon Sep 17 00:00:00 2001
From: Michael Gysel <michael.gysel@unblu.com>
Date: Thu, 20 Nov 2025 09:12:25 +0100
Subject: [PATCH] Fix session refresh handling in OIDC provider

- `s.Refreshed` was always `false` as the session object was not updated
- `ValidateURL` is, by default, not configured for OIDC providers. Access token validation now only happens when a validation endpoint is available.

Signed-off-by: Michael Gysel <michael.gysel@unblu.com>
---
 providers/oidc.go | 12 +++++-------
 1 file changed, 5 insertions(+), 7 deletions(-)

diff --git a/providers/oidc.go b/providers/oidc.go
index eeac4073..f626ec3a 100644
--- a/providers/oidc.go
+++ b/providers/oidc.go
@@ -116,14 +116,12 @@ func (p *OIDCProvider) ValidateSession(ctx context.Context, s *sessions.SessionS
 
 	// https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
 	// The ID Token is optional in the Refresh Token Response
-	// TODO: @tuunit remove dependency on refreshed flag and only rely on presence of access_token
-	// in accordance with the spec. For now, keep existing behavior.
 	if s.Refreshed {
-		if !validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken)) {
+		validateEndpointAvailable := p.Data().ValidateURL != nil && p.Data().ValidateURL.String() != ""
+		if validateEndpointAvailable && !validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken)) {
 			logger.Errorf("access_token validation failed")
 			return false
 		}
-
 		return true
 	}
 
@@ -189,9 +187,8 @@ func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.Sessi
 		return fmt.Errorf("unable create new session state from response: %v", err)
 	}
 
-	// It's possible that if the refresh token isn't in the token response the
-	// session will not contain an id token.
-	// If it doesn't it's probably better to retain the old one
+	// It's possible that a refresh does not renew the ID Token.
+	// If it doesn't, it's probably better to retain the old one.
 	if newSession.IDToken != "" {
 		s.IDToken = newSession.IDToken
 		s.Email = newSession.Email
@@ -204,6 +201,7 @@ func (p *OIDCProvider) redeemRefreshToken(ctx context.Context, s *sessions.Sessi
 	s.RefreshToken = newSession.RefreshToken
 	s.CreatedAt = newSession.CreatedAt
 	s.ExpiresOn = newSession.ExpiresOn
+	s.Refreshed = newSession.Refreshed
 
 	return nil
 }