Optional ID token should not be required on token refresh
anderius opened this issue · 2 comments
Our setup fails to refresh tokens, simply because our IdP does not return id_token in the refresh token response.
As can be seen here, that is optional: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.
The code here, however, requires id_token:
nginx-openid-connect/openid_connect.js
Lines 85 to 92 in afa8f4c
It would be nice if id_token was not required.
Another very related issue with the code is that it uses the id token in the variable session_jwt, and that is used in validating each request:
nginx-openid-connect/frontend.conf
Line 21 in afa8f4c
This does not work when the id-token is not refreshed.
After the user is successfully authenticated on the AS and nginx retrieves the token set, a key-val pair is created in the keyval: $cookie_auth_token -> $session_jwt
For each subsequent request with these cookies, the auth_jwt module can successfully retrieve $session_jwt and use it as the token:
auth_jwt "" token=$session_jwt;This is a specific behavior of the implementation. It’s important to note that nginx doesn't store variables persistently (except via keyval), and you are able to work with claims from the ID token only because the auth_jwt module "parses" the token on every request.
This behavior can be changed, but it would make the configuration more complex, as you would need to manually store all required claims in keyval explicitly.
PS. The lifespan of the id token is indeed not tied to the lifespan of the session (cookie), that’s correct. However, the only current workaround is to increase the exp of the ID token.
Unfortunately, if you are using the refresh mechanism to renew the access token (which is its intended purpose), this approach will not work effectively.