Fix idp session check and token refreshment

gogatekeeper · Jun 6, 2024 · 58910ee · 58910ee
1 parent c86921f
commit 58910ee
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 13 deletions.
diff --git a/pkg/proxy/middleware/oauth.go b/pkg/proxy/middleware/oauth.go
@@ -85,18 +85,6 @@ func AuthenticationMiddleware(
 			// https://github.com/coreos/go-oidc/issues/402
 			oidcLibCtx := context.WithValue(ctx, oauth2.HTTPClient, httpClient)
 
-			if enableIDPSessionCheck {
-				tokenSource := oauth2.StaticTokenSource(
-					&oauth2.Token{AccessToken: user.RawToken},
-				)
-				_, err := provider.UserInfo(oidcLibCtx, tokenSource)
-				if err != nil {
-					scope.Logger.Error(err.Error())
-					redirectToAuthorization(wrt, req)
-					return
-				}
-			}
-
 			// step: skip if we are running skip-token-verification
 			if skipTokenVerification {
 				scope.Logger.Warn(
@@ -314,6 +302,18 @@ func AuthenticationMiddleware(
 				}
 			}
 
+			if enableIDPSessionCheck {
+				tokenSource := oauth2.StaticTokenSource(
+					&oauth2.Token{AccessToken: scope.Identity.RawToken},
+				)
+				_, err := provider.UserInfo(oidcLibCtx, tokenSource)
+				if err != nil {
+					scope.Logger.Error(err.Error())
+					redirectToAuthorization(wrt, req)
+					return
+				}
+			}
+
 			*req = *(req.WithContext(ctx))
 			next.ServeHTTP(wrt, req)
 		})

diff --git a/pkg/testsuite/middleware_test.go b/pkg/testsuite/middleware_test.go
@@ -1529,6 +1529,35 @@ func TestRefreshToken(t *testing.T) {
 				},
 			},
 		},
+		{
+			Name: "TestRefreshTokenWithIdpSessionCheck",
+			ProxySettings: func(conf *config.Config) {
+				conf.EnableIDPSessionCheck = true
+				conf.EnableRefreshTokens = true
+				conf.EnableEncryptedToken = true
+				conf.Verbose = true
+				conf.EnableLogging = true
+				conf.EncryptionKey = testEncryptionKey
+			},
+			ExecutionSettings: []fakeRequest{
+				{
+					URI:                           FakeAuthAllURL,
+					HasLogin:                      true,
+					Redirects:                     true,
+					OnResponse:                    delay,
+					ExpectedProxy:                 true,
+					ExpectedCode:                  http.StatusOK,
+					ExpectedLoginCookiesValidator: map[string]func(*testing.T, *config.Config, string) bool{cfg.CookieRefreshName: checkRefreshTokenEncryption},
+				},
+				{
+					URI:           FakeAuthAllURL,
+					Redirects:     false,
+					HasLogin:      false,
+					ExpectedProxy: true,
+					ExpectedCode:  http.StatusOK,
+				},
+			},
+		},
 		{
 			Name: "TestRefreshTokenEncryptionWithClientIDAndIssuerCheckOn",
 			ProxySettings: func(conf *config.Config) {
@@ -2888,7 +2917,7 @@ func TestAuthenticationMiddleware(t *testing.T) {
 					RawToken:          badlySignedToken,
 					HasCookieToken:    true,
 					ExpectedProxy:     false,
-					ExpectedCode:      http.StatusSeeOther,
+					ExpectedCode:      http.StatusForbidden,
 				},
 			},
 		},