-
Notifications
You must be signed in to change notification settings - Fork 326
Access Tokens and Refresh Tokens
The access_token
that mod_auth_openidc receives from the OP will be used by the module
itself against the user_info
endpoint of the OP (if configured) to resolve extra claims about
the user. Besides that an application may be interested in the access_token
to use it against
other OAuth 2.0 protected APIs, typically when additional scopes have been requested in addition
to the OpenID Connect scopes (using OIDCScope
).
For that purpose mod_auth_openidc passes the access_token
that it receives from the OP to
applications in a header named OIDC_access_token
. If there's a hint from the OP about the
access_token
's expiry time (expires_in
) then an additional header named OIDC_access_token_expires
will be set with an absolute Unix timestamp that indicates when the access_token
expires.
If a refresh_token
is returned by the OP, the module stores the refresh_token
in the
user session. When the application wants to refresh the access_token, it may call the module
on the following hook:
<redirect_uri>?refresh=<return_to>&access_token=<access_token>
When called on this hook mod_auth_openidc will refresh the access_token
using the stored
refresh_token
as described in the OpenID Connect specification in section 12. Using Refresh Tokens.
The redirect_uri
URL value corresponds to the value set in the OIDCRedirectUri
configuration primitive. The return_to
value of the refresh
parameter is the URL that the
module will redirect the browser to after refreshing the access_token
. The old/current access_token
needs to be passed in the access_token
parameter for XSRF protection.
When the access_token
is successfully refreshed, the OIDC_access_token
and OIDC_access_token_expires
headers will have been set with the new values obtained from the OP. When refreshing the access_token
fails, a parameter named error_code
will be passed back to the return_to
URL as in:
<return_to>?error_code=<value>
The following error_code
values have been defined:
error_code value Description
no_access_token no access_token parameter was passed
no_access_token_exists no access_token exists in the session
no_access_token_match the access_token provided did not match the one stored in the session
no_refresh_token_exists no refresh_token exists in the session
session_corruption the session is corrupt, i.e internal error
refresh_failed refreshing the access_token with the provider failed
When an error_code
parameter is returned to the return_to
URL it means that the access_token
has not been refreshed and the caller should take appropriate action, i.e. it can no longer assume that the old access_token
is valid.
(since 2.0.1rc2) If an access token has been revoked (somewhere else) on the Authorization Server, the Resource Server may still have it in its cache as a valid token. You can invalidate the cache entry for the access token by calling:
<redirect_uri>?remove_at_cache=<access_token>
so that on the next call the token needs to be introspected and that action will fail because the token is not valid anymore.