public_git
/
oauth2-proxy
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

docs: make clear that any access token expiry dates are ignored (#2644) 

* docs: make clear that any access token expiry dates are ignored

* clarify why access-token expiration cannot be validated

---------

Co-authored-by: Jan Larwig <jan@larwig.com>
This commit is contained in:
Simon 2024-07-18 22:11:40 +02:00 committed by GitHub
parent 3045392c17
commit a22668eb8c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/docs/configuration/sessions.md
View File

@ -60,13 +60,15 @@ Two settings are used to configure the OAuth2 Proxy cookie lifetime:
The "cookie-expire" value should be equal to the lifetime of the Refresh-Token that is issued by the OAuth2 authorization server. The "cookie-expire" value should be equal to the lifetime of the Refresh-Token that is issued by the OAuth2 authorization server.
If it expires earlier and is deleted by the browser, OAuth2 Proxy cannot find the stored Refresh-Tokens in Redis and thus cannot start If it expires earlier and is deleted by the browser, OAuth2 Proxy cannot find the stored Refresh-Tokens in Redis and thus cannot start
the refresh flow to get new Access-Tokens. If it is longer, it might be that the old Refresh-Token will be found in Redis but has already the refresh flow to get a new Access-Token. If it is longer, it might be that the old Refresh-Token will be found in Redis but has already
expired. expired.
The "cookie-refresh" value controls when OAuth2 Proxy tries to refresh an Access-Token. If it is set to "0", the The "cookie-refresh" value controls when OAuth2 Proxy tries to refresh an Access-Token. If it is set to "0", the
Access-Token will never be refreshed, even it is already expired and there would be a valid Refresh-Token in the Access-Token will never be refreshed, even if it is already expired and a valid Refresh-Token is available. If set, OAuth2-Proxy will
available. If set, OAuth2 Proxy will refresh the Access-Token after this many seconds even if it is still valid. refresh the Access-Token after this many seconds whether it is still valid or not. According to the official OAuth2.0 specification
Of course, it will also be refreshed after it has expired, as long as a Refresh Token is available. Access-Tokens are not required to follow a specific format. Therefore OAuth2-Proxy cannot check for any expiry date without an
introspection endpoint. If an Access-Token expires and you have not set a corresponding "cookie-refresh" value, you will likely
encounter expiry issues.
Caveat: It can happen that the Access-Token is valid for e.g. "1m" and a request happens after exactly "59s". Caveat: It can happen that the Access-Token is valid for e.g. "1m" and a request happens after exactly "59s".
It would pass OAuth2 Proxy and be forwarded to the backend but is just expired when the backend tries to validate It would pass OAuth2 Proxy and be forwarded to the backend but is just expired when the backend tries to validate