From 7307977a2ec3a3c0fc536dc443abcc74c7858b55 Mon Sep 17 00:00:00 2001 From: Dan Date: Wed, 15 Jan 2025 14:31:59 +0000 Subject: [PATCH 1/2] change refresh token behaviour so it is only necessary when token has expired --- backend/pkg/auth/oidc.go | 32 ++++++++++---------------------- 1 file changed, 10 insertions(+), 22 deletions(-) diff --git a/backend/pkg/auth/oidc.go b/backend/pkg/auth/oidc.go index 98f76200f..bb41bd1b8 100644 --- a/backend/pkg/auth/oidc.go +++ b/backend/pkg/auth/oidc.go @@ -155,17 +155,6 @@ func (oa *oidcAuth) ValidateToken(c echo.Context) error { return nil } - // If refresh token is not available in the session - // mark the request as unauthorized so that the session - // can be recreated with refresh_token - session := echosessions.GetSession(c) - refreshToken := session.Get("refresh_token") - if refreshToken == nil { - logger.Debug().Str("request_id", requestID).Msg("ValidateToken, Refresh token not found in session") - httpError(c, http.StatusUnauthorized) - return nil - } - _, err := oa.verifier.Verify(ctx, token) if err != nil { logger.Error().Str("request_id", requestID).AnErr("error", err).Msg("ValidateToken, Token verification error") @@ -375,23 +364,22 @@ func (oa *oidcAuth) Authenticate(c echo.Context) (teamID string, replied bool) { return "", true } - // If refresh token is not available in the session - // mark the request as unauthorized so that the session - // can be recreated with refresh_token - session := echosessions.GetSession(c) - refreshToken := session.Get("refresh_token") - if refreshToken == nil { - logger.Debug().Str("request_id", requestID).Msg("Refresh token not found in session") - httpError(c, http.StatusUnauthorized) - return "", true - } - // Verify Token tk, err := oa.verifier.Verify(ctx, token) if err != nil { // If token is expired, use the refresh_token to fetch a new token // and set the new id_token in response header if strings.Contains(err.Error(), "token is expired") { + // If refresh token is not available in the session + // mark the request as unauthorized so that the session + // can be recreated with refresh_token + session := echosessions.GetSession(c) + refreshToken := session.Get("refresh_token") + if refreshToken == nil { + logger.Debug().Str("request_id", requestID).Msg("Refresh token not found in session") + httpError(c, http.StatusUnauthorized) + return "", true + } ts := oa.oauthConfig.TokenSource(ctx, &oauth2.Token{RefreshToken: refreshToken.(string)}) newToken, err := ts.Token() if err != nil { From 876c5532bb7e1b9415322c69debbca5b5cef947b Mon Sep 17 00:00:00 2001 From: Dan Date: Thu, 23 Jan 2025 15:17:15 +0000 Subject: [PATCH 2/2] allow for refreshToken as an empty string Co-authored-by: Ervin Racz <39372002+ErvinRacz@users.noreply.github.com> --- backend/pkg/auth/oidc.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/backend/pkg/auth/oidc.go b/backend/pkg/auth/oidc.go index bb41bd1b8..11a026cb5 100644 --- a/backend/pkg/auth/oidc.go +++ b/backend/pkg/auth/oidc.go @@ -375,7 +375,7 @@ func (oa *oidcAuth) Authenticate(c echo.Context) (teamID string, replied bool) { // can be recreated with refresh_token session := echosessions.GetSession(c) refreshToken := session.Get("refresh_token") - if refreshToken == nil { + if refreshToken == nil || refreshToken == "" { logger.Debug().Str("request_id", requestID).Msg("Refresh token not found in session") httpError(c, http.StatusUnauthorized) return "", true