-
-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix zmartzone/lua-resty-openidc#157 : Update Id token in session afte… #158
Conversation
Thank you. Should we remove an existing id token from the session if the token response after refresh does not contain a new id token? Section 12.2 of the OIDC Core Spec says
|
I don't think an existing id_token should be removed:
|
I agree, in that case the PR looks good to me. |
It would be great to include a test for it... (never thought I would say that ;-)) |
Unless @grrolland wants to take a stab at test I can try to carve out some time at the weekend. |
I've pushed the PR, a small refactoring (please have a look at 11a9f26 @grrolland ) and tests to the pr-158 branch. While thinking through the case where the token endpoint returns an invalid id token on refresh I feel the handling is inconsistent right now. |
I don't see that last implication: whatever access token is returned from the token endpoint may be stored in the session; even if there's an error in a subsequent call to the token endpoint, we can still choose to preserve the old one under the assumption "if it still valid it is ok otherwise we'll find out sooner or later" |
As the current code stands the old access token has been replaced by the one that was returned from the token endpoint inside of the session. The inconsistency I see is that we don't return the access token because id token verification failed but we still store it inside the session. I'd be fine with either removing the access token completely or keeping the old one, but the current state feels wrong to me. |
Ah right, I misunderstood at first but agree with you. I'd like to store the new access token. |
What would be your preferred option, remove clear the tokens completely or restore the old ones? I don't think the old ones will be useful as the refresh token has already been used by now and the access token has likely expired, so would opt for clearing the tokens. |
Yeah, you're right: the reason for refreshing should be that the client can't use the existing access token so there should be no reason to keep it regardless of the result. That is different from the id_token. |
OK, I've changed the branch, see a968e76 |
So now the |
Ah, thanks, you are right. 551564f |
the log message "ngx.log(ngx.ERR, "invalid id token, discaring refreshed id token") |
Not sure I know what you mean with "off", see b27009f Unfortunately I've got some second thoughts again, sorry for that. Wouldn't it be cleaner if we verified an id_token returned while refreshing regardless of whether we are going to store it inside the session? In that case we could treat it like a "normal" token refresh error and simply leave the whole session alone (see https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L1090 ). |
regarding those latest thoughts see 13516c4 in yet another branch that I'll need to clean up once we are happy :-) |
merged, thanks @grrolland ! |
This pull request update the id token in session after refreshing tokens with token endpoint. Finally, the content of the session is coherent (access token, refresh token, id token).