Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Repeat the grant request if OidcClient refresh token has expired #21924

Merged

Conversation

sberyozkin
Copy link
Member

@sberyozkin sberyozkin commented Dec 3, 2021

Fixes #21873

When OidcClient acquires the tokens it gets an access token, and possibly a refresh token. If the access token has expired then, if the refresh token is available - it will use a refresh token grant to get a new access token / refresh token pair - and if no refresh token is available then it will try to get this new pair by repeating the same grant request which was used to acquire the original pair, etc.

What has been reported in #21873 is that when the access token has expired and OidcClient uses an available refresh token, it can fail if this refresh token has also expired.

So, when the access token has expired, the same grant request (for ex password) has to be used to acquire a new pair of tokens not only when the refresh token is not available but also when it is available but has expired too. It is really the only way to address it.

So this PR applies a small update to TokensHelper accordingly. Additionally it introduces a refreshExpiresInProperty, similarly to how it is done for the standard expires_in property - but while expires_in is a standard property, no standard property for conveying the refresh token expiry time exists - so it is really needed for the refresh token case. By default it is set to refresh_expires_in which is what Keycloak returns.

OidcClientImpl calculates the time the refresh token will expire the same way it does for the access token - first this property is checked - and if it is not available, then, if RT is JWT (Json) then it tries to get the expiry claim.

OidcClientWiremock test which refreshes the token has been updated to check a grant request is repeated when the refresh token has also expired - comments have been added to clarify how the test works.

@sberyozkin sberyozkin force-pushed the oidc_client_refresh_token_expired branch from 65c368d to 012a41f Compare December 3, 2021 17:20
@sberyozkin
Copy link
Member Author

Thanks @gastaldi I see a few inaccuracies in the test comments so I'll do a minor update. @pedroigor hope you are OK with this PR as well

@sberyozkin sberyozkin force-pushed the oidc_client_refresh_token_expired branch from 012a41f to 1ac3ce4 Compare December 3, 2021 17:39
@sberyozkin sberyozkin merged commit 6b95e85 into quarkusio:main Dec 3, 2021
@quarkus-bot quarkus-bot bot added this to the 2.6 - main milestone Dec 3, 2021
@sberyozkin sberyozkin deleted the oidc_client_refresh_token_expired branch December 3, 2021 18:50
@gsmet gsmet modified the milestones: 2.6.0.CR1, 2.5.2.Final Dec 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OidcClient has failed to complete the refresh_token grant request: "error_description":"Refresh token expired"
3 participants