From 76881b1e3cd46bae69a8bcae6e4b4f9eef14e73d Mon Sep 17 00:00:00 2001
From: Francesco Pasqualini <frapas@gmail.com>
Date: Sun, 12 Apr 2026 03:40:13 +0200
Subject: [PATCH] fix: apply review nits and add CHANGELOG entry

Signed-off-by: Francesco Pasqualini <frapas@gmail.com>
Signed-off-by: Jan Larwig <jan@larwig.com>
---
 CHANGELOG.md                     | 5 +++--
 pkg/middleware/stored_session.go | 8 +++-----
 2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index beb1452b..e8f2d777 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,9 +8,10 @@
 
 ## Changes since v7.15.1
 
-# V7.15.1
-
 - [#3411](https://github.com/oauth2-proxy/oauth2-proxy/pull/3411) chore(deps): update gomod dependencies (@tuunit)
+- [#3333](https://github.com/oauth2-proxy/oauth2-proxy/pull/3333) fix: invalidate session on fatal OAuth2 refresh errors (@frhack)
+
+# V7.15.1
 
 ## Release Highlights
 
diff --git a/pkg/middleware/stored_session.go b/pkg/middleware/stored_session.go
index 8f45e13b..53238f19 100644
--- a/pkg/middleware/stored_session.go
+++ b/pkg/middleware/stored_session.go
@@ -44,7 +44,6 @@ func isFatalRefreshError(err error) bool {
 		return false
 	}
 
-	errStr := err.Error()
 	// Only check standard OAuth2 error codes (RFC 6749 Section 5.2)
 	// Do NOT check error_description strings as they are optional and provider-specific
 	fatalErrors := []string{
@@ -53,7 +52,7 @@ func isFatalRefreshError(err error) bool {
 	}
 
 	for _, fe := range fatalErrors {
-		if strings.Contains(errStr, fe) {
+		if strings.Contains(err.Error(), fe) {
 			return true
 		}
 	}
@@ -225,9 +224,8 @@ func (s *storedSessionLoader) refreshSessionIfNeeded(rw http.ResponseWriter, req
 			logger.Printf("Fatal refresh error detected (session revoked or invalid), clearing session for user: %s", session.User)
 
 			// Clear the session from storage (Redis) and remove the cookie
-			clearErr := s.store.Clear(rw, req)
-			if clearErr != nil {
-				logger.Errorf("Error clearing session: %v", clearErr)
+			if err := s.store.Clear(rw, req); err != nil {
+				logger.Errorf("failed clearing session: %v", err)
 			}
 
 			// Return error immediately to force re-authentication