Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quarkus-oidc loses a refresh token if the provider does not recycle it during the refresh token grant #27753

Closed
sberyozkin opened this issue Sep 6, 2022 · 1 comment · Fixed by #28023
Closed

quarkus-oidc loses a refresh token if the provider does not recycle it during the refresh token grant #27753

sberyozkin opened this issue Sep 6, 2022 · 1 comment · Fixed by #28023
Assignees
@sberyozkin
Labels
area/oidc kind/bug Something isn't working
Milestone
2.13.0.Final

Comments

@sberyozkin
Copy link
Member

Describe the bug

quarkus-oidc, once it completes the code flow, keeps ID, access and refresh tokens concatenated in a single cookie or split into 3 separate cookies. The lifetime of all of these cookies is set to the age of the ID token plus some extra configurable duration.
If the session is about to expire and quarkus-oidc is allowed to auto-refresh it then it will use the refresh token to refresh ID and access tokens, and if a provider such as Keycloak supports a recommended RT recycling (to minimize the risk of RT being stolen), a new refresh token will be returned.

However if a provider does not return a RT with a RT grant, then the original RT, if it is still valid should stay around - but unfortunately it is gone since quarkus-oidc deletes the session related cookies when auto-refreshing.

It needs to be investigated if it can be properly addressed by default - it is not a real blocker since if RT is not available - the side-affect is that the user will have to re-authenticate manually when the session has expired - but it does effect a user experience.

Perhaps the best option is to use a custom TokenStateManager in such cases

Expected behavior

No response

Actual behavior

No response

How to Reproduce?

No response

Output of uname -a or ver

No response

Output of java -version

No response

GraalVM version (if different from Java)

No response

Quarkus version or git rev

No response

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@sberyozkin sberyozkin added the kind/bug Something isn't working label Sep 6, 2022
@quarkus-bot quarkus-bot bot added the area/oidc label Sep 6, 2022
@quarkus-bot
Copy link

quarkus-bot bot commented Sep 6, 2022

/cc @pedroigor

@sberyozkin sberyozkin self-assigned this Sep 12, 2022
@sberyozkin sberyozkin mentioned this issue Sep 16, 2022
Merged
@quarkus-bot quarkus-bot bot added this to the 2.14 - main milestone Sep 20, 2022
@gsmet gsmet modified the milestones: 2.14 - main, 2.13.0.Final Sep 20, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@sberyozkin sberyozkin

Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Milestone
2.13.0.Final
Development

Successfully merging a pull request may close this issue.

OIDC: Preserve the refresh token if no new refresh token is returned sberyozkin/quarkus
2 participants
@sberyozkin @gsmet