Skip to content
Hans Zandbelt edited this page Feb 14, 2024 · 10 revisions

Parallel Refresh Token Grants

When using OIDCRefreshAccessTokenBeforeExpiry and/or OIDCUserInfoRefreshInterval requests originating from the same user/session reaching different Apache processes simultaneously may lead to execution of several refresh token grants in parallel which could lead to issuance of overlapping/invalidated refresh tokens when used with rolling refresh tokens. The last issued refresh token may be overwritten in the session with an earlier one and as such may lead to an unrecoverable situation.

A mitigation has been added since 2.4.15.3 to avoid this by caching and re-using the result of the first token refresh grant request. This also improves the situation with persistent refresh tokens as previously these requests would lead to multiple access tokens and ID tokens being issued for the same session (with the last one winning). This mechanism guarantees correct handling of parallel refresh requests on a single host using a system wide process lock.

A "best effort distributed parallel refresh prevention" is used to prevent this issue when rolling refresh tokens are used across different Apache servers. The first caller writes a "best effort lock" into the shared cache backend upon starting the refresh token request and the other callers wait for its completion to consume its results. Note that since the server cache backend cannot be atomically locked across multiple hosts, this is not 100% failsafe, so the advice is still to not use rolling refresh tokens with clustered Apache servers, unless using sticky sessions.

Lastly, rolling refresh tokens must not be used together with OIDCSessionType client-cookie when there is no shared caching mechanism in use between the Apache servers (i.e. when using OIDCCacheType shm, which is usually the reason for using client-cookie). Sticky sessions can be used to mitigate the issue here as well.

POST Data Preservation (1)

Preservation of POST data with OIDCPreservePost On over session timeouts and newly initiated sessions is only supported with simple name/value pairs i.e. using Content-Type: application/x-www-form-urlencoded, not arbitrary (streamed) POST data.

POST Data Preservation (2) and Authorization / Step-Up Authentication

Preservation of POST date combined with OIDCPreservePost On and Authorization using Require claim directives or Step-Up Authentication don't work together over plain HTTP, running over HTTPs does seem to avoid this limitation. See also other limitations associated with Step-Up Authentication here: https://github.com/OpenIDC/mod_auth_openidc/wiki/Step-up-Authentication#limitations

Global Provider Configuration

It is not possible to specify OpenID Connect Provider primitives (OIDCProvider*) on a on a per-directory/location basis, those primitives are only supported on the global/vhost level.