OpenIDC/mod_auth_openidc

oidc_refresh_access_token_before_expiry?

zandbelt opened this issue · 3 comments

Discussed in #1109

Originally posted by brandonk10 September 14, 2023
I'm working off current master, and I'm struggling with this function. The way I understand the logic, it's supposed to refresh the token if it's expired, and returns FALSE if there's an error trying to do that - you're either logged out or re-authenticated if that happens.

My problem seems to be here:
if (t_expires > apr_time_now()) return FALSE;

From what I can tell, this is simply trying to skip the refresh if the token hasn't expired(within TTL). In this case, shouldn't TRUE be returned? I might be doing something else wrong, but I get logged out immediately with this logic, and if I flip to TRUE, my logins start falling through to the application again.

This occurs when "logout_on_error" is included in OIDCRefreshAccessTokenBeforeExpiry.

@brandonk10 I believe you're right and I think the fix is that needs_save needs to be passed in to achieve the desired logic

we've added end to end tests in our CI/CD environment to confirm that this issue is fixed in 1cf0a98

Thanks for the confirmation and the quick commit! I've done some preliminary testing and things are looking good so far.