envoy: oauth2: Can't use refresh token to refresh session, as all cookies have expired
Title: Can’t use refresh token to refresh session, as all cookies have expired
Description: Issue #24684 recently landed, which should allow the refresh token to get a new access token, after the access token expires.
In local testing, I found that all cookies were set based on the expiry time of the access token. Therefore, at the point where the refresh token could be used, it was no longer sent by the browser.
Repro steps:
Configure your OAuth2 authorization server so access tokens have a short lifetime (e.g. 5 minutes), and give refresh tokens a longer lifetime (e.g. infinite). Also, request a refresh token by requesting the offline_access scope. In addition, the refresh token feature seems to depend on forward_bearer_token: true.
While the refresh token doesn’t expire, the cookie that holds it (and all other oauth2 cookies) are set with an expiry time which is the same as that of the access token (now plus 5 minutes).
I was able to modify the cookie expiry times in the browser (e.g. set to +1 day), and found that the access token was updated without requiring a redirect. However, the new cookies were again reset to expire after 5 minutes (the expiry time of the access token).
Suggested behavior:
The RefreshToken cookie, and any other cookies needed to mark that cookie as valid (e.g. HMAC, …) should have a much higher expiry time than the access token lifetime reported by the authorization server, when the use_refresh_token feature is enabled. The existence of the OauthExpires cookie should continue to maintain the security of the protocol, as it should continue to report the actual expiry time of the current access token.
The cookie lifetimes should be relatively long, as refresh tokens can potentially have an unbounded lifetime (but the exact lifetime is unknown). Ideally, the value should be configurable.
Config: The relevant parts of the config are:
"typed_config": {
"@type": "type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2",
"config": {
"auth_scopes": [
"email",
"openid",
"offline_access"
],
"forward_bearer_token": true,
"use_refresh_token": true,
...
}
}
About this issue
- Original URL
- State: closed
- Created 9 months ago
- Reactions: 5
- Comments: 19 (8 by maintainers)
I know about this issue. Sure, https://github.com/envoyproxy/envoy/pull/26764 breaks a refresh token supporting. I found this out after my pull request was accepted. When I was adding the refresh token supporting there was no this changes. We need to increase cookie lifetime for refresh token. I am going to create a new pull request to fix it.
Thank you @fiadliel that you highlited the issue.
Seems like this issue would still be relevant, despite the fact that hasn’t been activity on it.
+1 about the issue above. my hacky LUA based solution is : Trigger refresh token flow by deleting the
hmaccookie when TTL of the access token is less than 10 minutes (assuming the TTL of the access cookie is > 10 min, in my case it is 1 hour).CC @derekargueta @snowp
Validated that this feature works as expected when
envoy.reloadable_features.oauth_use_standard_max_age_valueis set tofalse.Personally, I’d prefer that the refresh token feature stays in the next envoy release, as it’s a very useful; and there is a workaround to allow it to work.