Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

quarkus-oidc does not check expiry timestamp of refresh token, resulting in failed refresh call. #41830

Closed
jens-crelan opened this issue Jul 11, 2024 · 3 comments · Fixed by #43081
Closed

quarkus-oidc does not check expiry timestamp of refresh token, resulting in failed refresh call. #41830

jens-crelan opened this issue Jul 11, 2024 · 3 comments · Fixed by #43081
Labels
area/oidc kind/bug Something isn't working
Milestone
3.16.0.CR1

Comments

@jens-crelan
Copy link

Describe the bug

We are using quarkus-oidc in our project. Our identity server is configured with the following settings:

ID token lifespan: 5m
Access token lifespan: 5m
Refresh token lifespan: 30m

In a normal case, you would set quarkus.oidc.authentication.session-age-extension to 25m. We have a case where we wanted to close the session when the user closes his browser, so we modified the session cookies to have a 'Session' lifespan. This extends the quarkus session beyond those 30m.

We observed that after 30 minutes of inactivity, an attempt is made to refresh the id token. This request will fail, because the refresh token is expired. The refresh token has an expiry date, which could be checked before the refresh request.

Expected behavior

When an id token is expired, quarkus should check if the refresh token is expired. If the refresh token is expired, quarkus should not make an attempt te refresh the id token.

Actual behavior

Currently a ID token refresh is attempted without checking the expiry time of the refresh token.

How to Reproduce?

  1. Modify the config so a quarkus session lives longer than a refresh token. For example:
  • refresh token age: 30m
  • quarkus.oidc.authentication.session-age-extension set to 1h
  1. Succesfully log into your application
  2. Stay idle for longer than 30m but not longer than 1h
  3. Interact with your application
  4. You will see the "Token as expired, trying to refresh it" debug log.

Output of uname -a or ver

No response

Output of java -version

java 17.0.5 2022-10-18 LTS

Quarkus version or git rev

3.6.1

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response
@jens-crelan jens-crelan added the kind/bug Something isn't working label Jul 11, 2024
@quarkus-bot quarkus-bot
Copy link

quarkus-bot bot commented Jul 11, 2024

/cc @pedroigor (oidc), @sberyozkin (oidc)

@sberyozkin
Copy link
Member

@jens-crelan Is it in JWT format ? if yes, we can check if it itself has expired.

@jens-crelan
Copy link
Author

@sberyozkin yes it is

@sberyozkin sberyozkin mentioned this issue Sep 6, 2024
Merged
@quarkus-bot quarkus-bot bot added this to the 3.16 - main milestone Sep 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/oidc kind/bug Something isn't working
Projects
None yet
Milestone
3.16.0.CR1
Development

Successfully merging a pull request may close this issue.

Avoid an OIDC refresh token call if the JWT refresh token has expired sberyozkin/quarkus
2 participants
@sberyozkin @jens-crelan