Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Only Require OIDC Refresh Token If Access Token Expired #899

Merged
merged 2 commits into from
Jan 23, 2025

Conversation

justdan96
Copy link
Contributor

Only Require OIDC Refresh Token If Access Token Expired

Change the refresh token behaviour so that the refresh token is only deemed necessary when the access token has expired. If it is not supplied but the access token has not expired then we will no longer fail validation.

How to use

Gain an id_token and refresh_token from OIDC, supply only the id_token in the Bearer auth header to Nebraska. This will work, whereas previously it did not.

Testing done

Used dex with an LDAP connector and local user authentication, with group support added (https://github.com/mjudeikis/dex/tree/mjudeikis/groups.support). Tested OIDC authentication in browser through Dex with LDAP user, confirmed working. Tested OIDC authentication in curl through Dex with local user, confirmed working. The curl commands were similar to:

curl -L -X POST 'http://localhost:5556/dex/token' \
-H 'Authorization: Basic REDACTED' \
-H 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'scope=openid profile groups offline_access' \
--data-urlencode 'username=REDACTED' \
--data-urlencode 'password=REDACTED'

curl -vvv -H 'Authorization: Bearer REDACTED' -H 'Content-Type: application/json' -X GET http://localhost:3000/api/apps
  • Changelog entries added in the respective changelog/ directory (user-facing change, bug fix, security fix, update)
  • Inspected CI output for image differences: /boot and /usr size, packages, list files for any missing binaries, kernel modules, config files, kernel modules, etc.

@ErvinRacz
Copy link
Contributor

Looks good! I will perform a few more tests in addition on my end to see the refresh token in action.

backend/pkg/auth/oidc.go Outdated Show resolved Hide resolved
@ErvinRacz ErvinRacz merged commit 520a85d into flatcar:main Jan 23, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants