-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC token refresh fails with 401, if user info is used and not available in the cache (anymore) #31714
Comments
/cc @gwenneg (cache), @pedroigor (oidc), @sberyozkin (oidc) |
@sschellh I think this issue was already fixed, can you please add |
The code flow access token is not used by Quarkus itself, it is expected the downstream service like the actual OIDC provider in case of the UserInfo request will verify it. |
Hi @sberyozkin Many thanks for your response and your suggestion. From what I see setting
Are there any other settings you want me to verify? |
@sschellh Thanks for verifying it. Hmm, so you have a binary access token, can you please check if the introspection response contains an expiry date for the inactive token (I can only think of putting a breakpoint in |
Or may be we just can add a property always requiring a refresh whatever the verification failure is |
Hello @sberyozkin If the access token is expired, then the introspection response is just like that: I would expect following behavior (not sure however if this is possible):
Ideally that process should be independent from the question whether access token validation is activated or not. Another question I ask myself in this context is why the session duration is derived from the id_token lifetime and not from the maximum out of id_token lifetime and refresh token lifetime). Because as long as the refresh token is valid, the session can be kept active as one can always ask for a new access_token and id_token. |
But the whole problem is that your application requires
See #30766 |
The ID token verification failure in this context if this is what is logged is confusing and will have to be fixed, the code authentication mechanism dealing with the session is not aware why the OIDC identity provider failed the authentication request, so it should log a more precise message that ID token / session is valid but the request can not continue due to this or that failure |
@sschellh, more about
So I linked to #30766, but does your provider return refresh token in JWT format ? How will Quarkus know what the refresh token lifespan is ? |
The introspection endpoint returns the expire information of the refresh token. |
And the token refresh process should be started (if there is a refresh token). |
Are you sure ? Did you mean a code exchange response and
Only if it is proven that the ID or access token has expired. In your case we don't have any proof the access token has expired. If the introspection response was returning the access token expiry time then it would prove it. Without this proof the DDOS surface for the binary tokens increases dramatically, anyone can send random blobs and Quarkus will be stressing the OIDC provider with the bound to fail introspection and/or refresh attempts, etc However if the code exchange response returns |
No. The code exchange response does not contain this information. Only the introspection endpoint. |
I'm sorry, but if you'd like the refresh token lifetime be automatically used to to set the session lifespan then it will need to be returned from the code exchange response. I know Keycloak does it, Microsoft (https://learn.microsoft.com/en-us/linkedin/shared/authentication/programmatic-refresh-tokens) and possibly others. Requesting a remote refresh token introspection just to get its expiry time seems too expensive. That is though is not really related to this issue. Can you give me a favor and confirm your provider returns |
@sschellh Re the refresh token, that said, since auto-extending the session to the lifetime of RT will be optional, i.e, require a user approval (because of the RT lifetime is 1 month and ID token lifetime is 1 day then I don't think it will be wise for Quarkus support the session for 1 month out of the box - in real deployments users may not want that and may prefer re-authentication), I may as well try a falback with a refresh token introspection. I'd like quarkus-oidc support all sort of variations, I'll see how that goes when I get a chance to look at that issue. |
Yes the code exchange and the access token introspection response contain the |
@sschellh sounds good. Thanks |
@sschellh FYI, #31811, that update is all what should be required to get this issue fixed, I won't have time right now to add a test as we have another test for exactly the same scenario for JWT access tokens without the introspection, have a look please at this PR if you can to confirm it resolves the problem. Note the (code flow) access token verification should be enabled as discussed above. |
@sberyozkin I have a similar issue (401 when requesting user info and (opaque) access token expired). |
@srozange Sorry I missed your ping, I'm actually trying to complete that PR right now, just struggling a bit with the test. We need to take it step by step, some providers will return that in the introspection response, so the PR will work for those cases. The next option is to retain the binary access token expiry date when it is provided in the code exchange response. I'll look into it at some point after the current PR is complete |
@srozange Please create another issue to have access token expiry saved un a cookie, it will be tricky and likely require encryption, but let's track it, thanks |
This MR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [flow-bin](https://github.com/flowtype/flow-bin) ([changelog](https://github.com/facebook/flow/blob/master/Changelog.md)) | devDependencies | minor | [`^0.201.0` -> `^0.203.0`](https://renovatebot.com/diffs/npm/flow-bin/0.201.0/0.203.1) | | [com.rometools:rome](http://rometools.com) ([source](https://github.com/rometools/rome)) | compile | minor | `2.0.0` -> `2.1.0` | | [org.postgresql:postgresql](https://jdbc.postgresql.org) ([source](https://github.com/pgjdbc/pgjdbc)) | build | minor | `42.5.4` -> `42.6.0` | | [com.diffplug.spotless:spotless-maven-plugin](https://github.com/diffplug/spotless) | build | minor | `2.34.0` -> `2.35.0` | | [org.apache.maven.plugins:maven-resources-plugin](https://maven.apache.org/plugins/) | build | patch | `3.3.0` -> `3.3.1` | | [io.quarkus:quarkus-maven-plugin](https://github.com/quarkusio/quarkus) | build | patch | `2.16.4.Final` -> `2.16.6.Final` | | [io.quarkus:quarkus-universe-bom](https://github.com/quarkusio/quarkus-platform) | import | patch | `2.16.4.Final` -> `2.16.6.Final` | --- ### Release Notes <details> <summary>flowtype/flow-bin</summary> ### [`v0.203.1`](flow/flow-bin@0c16b26...5e0645d) [Compare Source](flow/flow-bin@0c16b26...5e0645d) ### [`v0.203.0`](flow/flow-bin@861f798...0c16b26) [Compare Source](flow/flow-bin@861f798...0c16b26) ### [`v0.202.1`](flow/flow-bin@2b48bba...861f798) [Compare Source](flow/flow-bin@2b48bba...861f798) ### [`v0.202.0`](flow/flow-bin@86aea9c...2b48bba) [Compare Source](flow/flow-bin@86aea9c...2b48bba) </details> <details> <summary>rometools/rome</summary> ### [`v2.1.0`](https://github.com/rometools/rome/releases/tag/2.1.0) [Compare Source](rometools/rome@2.0.0...2.1.0) <!-- Release notes generated using configuration in .github/release.yml at 2.1.0 --> #### What's Changed ##### ⭐ New Features - Downgrade Java from version 11 to 8 by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#642 - Add support for GraalVM native images by [@​artembilan](https://github.com/artembilan) in rometools/rome#636 ##### 🔨 Dependency Upgrades - Bump maven-compiler-plugin from 3.10.1 to 3.11.0 by [@​dependabot](https://github.com/dependabot) in rometools/rome#635 ##### 🧹 Cleanup - Remove unused config files by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#632 - Polish GitHub workflows by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#633 - Polish code by [@​antoniosanct](https://github.com/antoniosanct) in rometools/rome#631 ##### ✔ Other Changes - Update configuration for automatically generated release notes by [@​PatrickGotthard](https://github.com/PatrickGotthard) in rometools/rome#634 #### New Contributors - [@​artembilan](https://github.com/artembilan) made their first contribution in rometools/rome#636 **Full Changelog**: rometools/rome@2.0.0...2.1.0 </details> <details> <summary>pgjdbc/pgjdbc</summary> ### [`v42.6.0`](https://github.com/pgjdbc/pgjdbc/blob/HEAD/CHANGELOG.md#​4260-2023-03-17-153434--0400) ##### Changed fix: use PhantomReferences instead of `Obejct.finalize()` to track Connection leaks [MR #​2847](pgjdbc/pgjdbc#2847) The change replaces all uses of Object.finalize with PhantomReferences. The leaked resources (Connections) are tracked in a helper thread that is active as long as there are connections in use. By default, the thread keeps running for 30 seconds after all the connections are released. The timeout is set with pgjdbc.config.cleanup.thread.ttl system property. refactor:(loom) replace the usages of synchronized with ReentrantLock [MR #​2635](pgjdbc/pgjdbc#2635) Fixes [Issue #​1951](pgjdbc/pgjdbc#1951) </details> <details> <summary>diffplug/spotless</summary> ### [`v2.35.0`](https://github.com/diffplug/spotless/blob/HEAD/CHANGES.md#​2350---2023-02-10) ##### Added - CleanThat Java Refactorer. ([#​1560](diffplug/spotless#1560)) - Introduce `LazyArgLogger` to allow for lazy evaluation of log messages in slf4j logging. ([#​1565](diffplug/spotless#1565)) ##### Fixed - Allow multiple instances of the same npm-based formatter to be used by separating their `node_modules` directories. ([#​1565](diffplug/spotless#1565)) - `ktfmt` default style uses correct continuation indent. ([#​1562](diffplug/spotless#1562)) ##### Changes - Bump default `ktfmt` version to latest `0.42` -> `0.43` ([#​1561](diffplug/spotless#1561)) - Bump default `jackson` version to latest `2.14.1` -> `2.14.2` ([#​1536](diffplug/spotless#1536)) </details> <details> <summary>quarkusio/quarkus</summary> ### [`v2.16.6.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.6.Final) [Compare Source](quarkusio/quarkus@2.16.5.Final...2.16.6.Final) ##### Complete changelog - [#​32319](quarkusio/quarkus#32319) - \[2.16] Revert io.netty.noUnsafe change - [#​32302](quarkusio/quarkus#32302) - Qute - fix validation of expressions with the "cdi" namespace - [#​32253](quarkusio/quarkus#32253) - (2.16) Upgrade to graphql-java 19.4 - [#​32223](quarkusio/quarkus#32223) - (2.16) Upgrade wildfly-elytron to 1.20.3.Final - [#​32110](quarkusio/quarkus#32110) - Prevent splitting of cookie header values when using AWS Lambda - [#​32107](quarkusio/quarkus#32107) - Fix Podman detection on Windows - [#​32106](quarkusio/quarkus#32106) - Native building with container: Podman not detected on Windows - [#​32093](quarkusio/quarkus#32093) - Re-use current ApplicationModel for JaCoCo reports when testing Gradle projects - [#​32090](quarkusio/quarkus#32090) - K8s moved its registry - [#​32088](quarkusio/quarkus#32088) - Remove the session cookie if ID token verification failed - [#​32082](quarkusio/quarkus#32082) - Add missing quote in Hibernate Reactive with Panache guide - [#​32079](quarkusio/quarkus#32079) - Quarkus JaCoCo extension fails to start Gradle daemon - [#​32058](quarkusio/quarkus#32058) - Allow use of null in REST Client request body - [#​32047](quarkusio/quarkus#32047) - rest client reactive throws npe on null request body - [#​32041](quarkusio/quarkus#32041) - K8s is moving it's images - [#​32037](quarkusio/quarkus#32037) - Set-Cookie Header is Split when using OIDC together with AWS Lambda - [#​32015](quarkusio/quarkus#32015) - Support repeatable Incomings annotation for reactive messaging - [#​32002](quarkusio/quarkus#32002) - Quarkus: Kafka Event Processor with 2 `@incoming` annotations throws Null Pointer SRMSG00212 - [#​31984](quarkusio/quarkus#31984) - Only substitute OctetKeyPair\* classes when on the classpath - [#​31978](quarkusio/quarkus#31978) - Remove quarkus.hibernate-orm.database.generation=drop-and-create from Hibernate ORM codestart - [#​31930](quarkusio/quarkus#31930) - Native build fails for JWT - [#​31893](quarkusio/quarkus#31893) - Docker or Podman required for tests since 3.0.0.Alpha6 - [#​31857](quarkusio/quarkus#31857) - Container runtime detection cached in sys prop, container-docker extension - [#​31811](quarkusio/quarkus#31811) - Check the expiry date for inactive OIDC tokens - [#​31717](quarkusio/quarkus#31717) - Quarkus OIDC Session Cookie not deleted in case of 401 unauthorized - [#​31714](quarkusio/quarkus#31714) - OIDC token refresh fails with 401, if user info is used and not available in the cache (anymore) - [#​31662](quarkusio/quarkus#31662) - Warning when docker is not running - [#​31525](quarkusio/quarkus#31525) - Bump Keycloak version to 21.0.1 - [#​31490](quarkusio/quarkus#31490) - Enable Podman and Docker Windows quarkus-container-image-docker testing - [#​31307](quarkusio/quarkus#31307) - Native Build on Windows has incorrect resource slashes - [#​30383](quarkusio/quarkus#30383) - Create a new base classloader including parent-first test scoped dependencies when bootstrapping for CT ### [`v2.16.5.Final`](https://github.com/quarkusio/quarkus/releases/tag/2.16.5.Final) [Compare Source](quarkusio/quarkus@2.16.4.Final...2.16.5.Final) ##### Complete changelog - [#​31959](quarkusio/quarkus#31959) - New home for Narayana LRA coordinator Docker images - [#​31931](quarkusio/quarkus#31931) - Support raw collections in RESTEasy Reactive server and client - [#​31922](quarkusio/quarkus#31922) - Add more lenient Liquibase ZipPathHandler to work around includeAll not working in prod mode - [#​31904](quarkusio/quarkus#31904) - \[2.16] Upgrade SmallRye GraphQL to 1.9.4 - [#​31894](quarkusio/quarkus#31894) - Supply missing extension metadata for reactive keycloak client - [#​31891](quarkusio/quarkus#31891) - Fix truststore REST Client config when password is not set - [#​31867](quarkusio/quarkus#31867) - Qute type-safe fragments - fix validation for loop metadata and globals - [#​31866](quarkusio/quarkus#31866) - The behavior of the `@RestHeader` annotation is different from the `@HeaderParam` annotation when the parameter is of type List - [#​31864](quarkusio/quarkus#31864) - Fix incorrect generic type passed to MessageBodyWriter#writeTo - [#​31818](quarkusio/quarkus#31818) - Jackson JAX-RS YAML Provider for Resteasy Reactive - [#​31804](quarkusio/quarkus#31804) - \[2.16] A test to make sure non-existing modules are ignored during workspace discovery - [#​31793](quarkusio/quarkus#31793) - \[2.16] Fix NPE loading workspace modules - [#​31770](quarkusio/quarkus#31770) - Fix native compilation when using quarkus-jdbc-oracle with elasticsearch-java - [#​31769](quarkusio/quarkus#31769) - Capability added for quarkus-rest-client-reactive-jackson - [#​31756](quarkusio/quarkus#31756) - quarkus-rest-client-reactive-jackson doesn't provide capabilities - [#​31728](quarkusio/quarkus#31728) - Register additional cache implementations for reflection - [#​31718](quarkusio/quarkus#31718) - Properly close metadata file in integration tests - [#​31713](quarkusio/quarkus#31713) - "Too many open files" When test native image. - [#​31712](quarkusio/quarkus#31712) - Make request scoped beans work properly in ReaderInterceptors - [#​31705](quarkusio/quarkus#31705) - Remove all dev services for kubernetes dependencies from kubernetes-client-internal - [#​31692](quarkusio/quarkus#31692) - RequestScoped context not active when using a ReaderInterceptor with large HTTP requests - [#​31688](quarkusio/quarkus#31688) - Suppress config changed warning for quarkus.test.arg-line - [#​31643](quarkusio/quarkus#31643) - Fix iterator issue when executing a zrange with score on a missing key - [#​31626](quarkusio/quarkus#31626) - quarkus.test.arg-line has become a built-time fixed property in 2.16.4 - [#​31624](quarkusio/quarkus#31624) - native compilation : quarkus-jdbc-oracle with elasticsearch-java strange behaviour - [#​31617](quarkusio/quarkus#31617) - Bump Stork version 1.4.2 - [#​31579](quarkusio/quarkus#31579) - Reinitialize sun.security.pkcs11.P11Util at runtime - [#​31560](quarkusio/quarkus#31560) - Prevent SSE writing from potentially causing accumulation of headers - [#​31559](quarkusio/quarkus#31559) - `SseUtil` unexpectedly stores headers in `Serialisers.EMPTY_MULTI_MAP` - [#​31551](quarkusio/quarkus#31551) - Scheduler - detect scheduled methods of the same name on a class - [#​31547](quarkusio/quarkus#31547) - Scheduler - it's possible to declare two scheduled methods of the same name on the same class - [#​31545](quarkusio/quarkus#31545) - Append System.lineSeparator() to config error messages - [#​31536](quarkusio/quarkus#31536) - Missing newline characters in config error message - [#​31532](quarkusio/quarkus#31532) - Interpret negative/zero body-limit as infinite when logging REST Client request body - [#​31523](quarkusio/quarkus#31523) - Request rejected by CORS for fonts in dev UI when `quarkus.http.cors=true` is set - [#​31496](quarkusio/quarkus#31496) - Filter out RESTEasy related warning in ProviderConfigInjectionWarningsTest - [#​31482](quarkusio/quarkus#31482) - Remove incorrect default value for keepAliveEnabled - [#​31440](quarkusio/quarkus#31440) - Several quarkus integration tests fail to compile to native with latest GraalVM master - [#​31384](quarkusio/quarkus#31384) - Ignore required documentation for `@ConfigMapping` default methods - [#​30757](quarkusio/quarkus#30757) - Allow same origin CORS requests without 3rd party origins being configured - [#​30744](quarkusio/quarkus#30744) - \[Quarkus Native] ClassNotFoundException: com.github.benmanes.caffeine.cache.SSSW - [#​30698](quarkusio/quarkus#30698) - CORS Request same origin ignored if no other origin set </details> <details> <summary>quarkusio/quarkus-platform</summary> ### [`v2.16.6.Final`](quarkusio/quarkus-platform@2.16.5.Final...2.16.6.Final) [Compare Source](quarkusio/quarkus-platform@2.16.5.Final...2.16.6.Final) ### [`v2.16.5.Final`](quarkusio/quarkus-platform@2.16.4.Final...2.16.5.Final) [Compare Source](quarkusio/quarkus-platform@2.16.4.Final...2.16.5.Final) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This MR will be recreated if closed unmerged. Get [config help](https://github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4yNC4wIiwidXBkYXRlZEluVmVyIjoiMzQuMjQuMCJ9-->
Describe the bug
We are using Quarkus OIDC and for our clientId the following settings are configured with the Identity Provider:
(small numbers for testing only!)
We have configured Quarkus OIDC with following settings:
After a users logs in, the q_session lifetime is set to the duration of the OIDC token plus the session-age-extension. In our case the session lifetime is exactly as long as the refresh token lifetime.
Expected behavior
When a user makes a request after the id token and access token expired, but before the refresh token and the session cookie expired, then the refresh token is used to retrieve a new pair of access token, id token and refresh token from the identity provider.
Actual behavior
When a user makes a request after the id token and access token expired, but before the refresh token and the session cookie expired, then an HTTP 401 exception is returned.
In the logs we can find the following DEBUG and ERROR statements:
How to Reproduce?
Steps to reproduce
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.16.3.Final
Build tool (ie. output of
mvnw --version
orgradlew --version
)Gradle 7.3.3
Additional information
No response
The text was updated successfully, but these errors were encountered: