oidc_refresh_access_token_before_expiry?
zandbelt opened this issue · 3 comments
Discussed in #1109
Originally posted by brandonk10 September 14, 2023
I'm working off current master, and I'm struggling with this function. The way I understand the logic, it's supposed to refresh the token if it's expired, and returns FALSE if there's an error trying to do that - you're either logged out or re-authenticated if that happens.
My problem seems to be here:
if (t_expires > apr_time_now()) return FALSE;
From what I can tell, this is simply trying to skip the refresh if the token hasn't expired(within TTL). In this case, shouldn't TRUE be returned? I might be doing something else wrong, but I get logged out immediately with this logic, and if I flip to TRUE, my logins start falling through to the application again.
This occurs when "logout_on_error" is included in OIDCRefreshAccessTokenBeforeExpiry.
@brandonk10 I believe you're right and I think the fix is that needs_save
needs to be passed in to achieve the desired logic
we've added end to end tests in our CI/CD environment to confirm that this issue is fixed in 1cf0a98
Thanks for the confirmation and the quick commit! I've done some preliminary testing and things are looking good so far.