-
Notifications
You must be signed in to change notification settings - Fork 94
Optional ID token should not be required on token refresh #102
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Comments
Another very related issue with the code is that it uses the id token in the variable nginx-openid-connect/frontend.conf Line 21 in afa8f4c
This does not work when the id-token is not refreshed. |
After the user is successfully authenticated on the AS and nginx retrieves the token set, a key-val pair is created in the keyval: For each subsequent request with these cookies, the auth_jwt "" token=$session_jwt; This is a specific behavior of the implementation. It’s important to note that nginx doesn't store variables persistently (except via keyval), and you are able to work with claims from the ID token only because the This behavior can be changed, but it would make the configuration more complex, as you would need to manually store all required claims in keyval explicitly. PS. The lifespan of the id token is indeed not tied to the lifespan of the session (cookie), that’s correct. However, the only current workaround is to increase the exp of the ID token. |
Uh oh!
There was an error while loading. Please reload this page.
Our setup fails to refresh tokens, simply because our IdP does not return id_token in the refresh token response.
As can be seen here, that is optional: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
The code here, however, requires id_token:
nginx-openid-connect/openid_connect.js
Lines 85 to 92 in afa8f4c
It would be nice if id_token was not required.
The text was updated successfully, but these errors were encountered: