Skip to content

Optional ID token should not be required on token refresh #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
anderius opened this issue Sep 23, 2024 · 2 comments
Closed

Optional ID token should not be required on token refresh #102

anderius opened this issue Sep 23, 2024 · 2 comments

Comments

@anderius
Copy link

anderius commented Sep 23, 2024
edited
Loading

Our setup fails to refresh tokens, simply because our IdP does not return id_token in the refresh token response.

As can be seen here, that is optional: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.

The code here, however, requires id_token:

nginx-openid-connect/openid_connect.js

Lines 85 to 92 in afa8f4c

if (!tokenset.id_token) {
r.error("OIDC refresh response did not include id_token");
if (tokenset.error) {
r.error("OIDC " + tokenset.error + " " + tokenset.error_description);
}
r.variables.refresh_token = "-";
r.return(302, r.variables.request_uri);
return;

It would be nice if id_token was not required.
@anderius
Copy link
Author

anderius commented Oct 16, 2024
edited
Loading

Another very related issue with the code is that it uses the id token in the variable session_jwt, and that is used in validating each request:

nginx-openid-connect/frontend.conf

Line 21 in afa8f4c

auth_jwt "" token=$session_jwt;

This does not work when the id-token is not refreshed.

@anderius anderius changed the title Optional ID token is required upon token refresh Optional ID token should not be required on token refresh Oct 29, 2024
@route443
Copy link
Contributor

After the user is successfully authenticated on the AS and nginx retrieves the token set, a key-val pair is created in the keyval: $cookie_auth_token -> $session_jwt

For each subsequent request with these cookies, the auth_jwt module can successfully retrieve $session_jwt and use it as the token:

auth_jwt "" token=$session_jwt;

This is a specific behavior of the implementation. It’s important to note that nginx doesn't store variables persistently (except via keyval), and you are able to work with claims from the ID token only because the auth_jwt module "parses" the token on every request.

This behavior can be changed, but it would make the configuration more complex, as you would need to manually store all required claims in keyval explicitly.

PS. The lifespan of the id token is indeed not tied to the lifespan of the session (cookie), that’s correct. However, the only current workaround is to increase the exp of the ID token.
Unfortunately, if you are using the refresh mechanism to renew the access token (which is its intended purpose), this approach will not work effectively.

@route443 route443 closed this as not planned Won't fix, can't repro, duplicate, stale Jan 16, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@anderius @route443