Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate ID token if it is not refreshed #29214

Merged
merged 1 commit into from
Nov 13, 2022
Merged

Generate ID token if it is not refreshed #29214

merged 1 commit into from
Nov 13, 2022

Conversation

sberyozkin
Copy link
Member

Fixes #29144

This PR addresses a case where a provider does not return a new ID token after a token refresh in a similar way we handle GitHub and other OAuth2-only provider responses for the initial authorization code flow exchanges which is used in Renarde - we generate an internal ID token but besides we also preserve the orginal ID token claims in the newly generated ID token for the application to keep which needs access to the ID token claims - because it works for such application at the start where an original ID token is returned.

Here is a summary, most of the time was spent on getting the test passing:

  • Refresh token grant is activated if ID token has expired or nearly expired in which case it is an auto-refresh after the ID token has been verified and confirmed to be valid - so if the refresh token grant response does not return new ID token, to avoid NPE, we now do the following: 1) if it was auto-refresh then keep using the original ID token which is still valid 2) if ID token was expired then generate a new ID token, but retain the original claims minus issued at and expiry claims
  • It won't be done by default though, users need to allow it with quarkus.oidc.authentication.id-token-required=false
  • Updated the test to verify this flow - the OidcResource test resource emulating OIDC provider does not return ID token during the refresh (Keycloak based tests will have real refresh token returned so all the variations are covered)
  • Newly generated tokens have 5 mins lifetime by default, so I had to limit it to 5 secs with a smallrye-jwt-build config property since the test expects the session expire after 6+ secs.

This is really it, no OIDC logic is affected, just a support for extending the session in those users where providers other than Keycloak do not recycle ID tokens...

CC @pedroigor

@sberyozkin sberyozkin requested a review from gastaldi November 11, 2022 18:20
@sberyozkin
Copy link
Member Author

Sorry, I focused on getting the related test passing and ignored checking other tests, will fix

@sberyozkin sberyozkin force-pushed the oidc_refresh_noidtoken_npe branch from 4b80ae3 to 3b87708 Compare November 12, 2022 13:25
@sberyozkin
Copy link
Member Author

Was a unit test issue after I refactored a bit the token decoding code

@sberyozkin sberyozkin merged commit 56f933c into quarkusio:main Nov 13, 2022
@quarkus-bot quarkus-bot bot added this to the 2.15 - main milestone Nov 13, 2022
@sberyozkin sberyozkin deleted the oidc_refresh_noidtoken_npe branch November 13, 2022 11:49
@gsmet gsmet modified the milestones: 2.15 - main, 2.14.1.Final Nov 15, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gastaldi gastaldi gastaldi approved these changes

Assignees
No one assigned
Labels
area/oidc kind/bugfix
Projects
None yet
Milestone
2.14.1.Final
Development

Successfully merging this pull request may close these issues.

OIDC token refresh causes NPE if no ID token is returned
3 participants
@sberyozkin @gastaldi @gsmet