external-auth-server: access_type missing for OIDC/OAuth. Token expires after one hour.

Hi

I’m using the oidc auth module to authenticate against Google. My actual problem is, that after an hour I have to re-authenticate against Google. I’ve read that Google has to be called with the access_type=offline to get a refresh_token. But I haven’t found any possibility to add this to the configuration. I also investigated on the request in the Chrome dev tools and this param is missing.

In addition I don’t use Redis. But I only run a single node k3s cluster with just one instance of Traefik v2 and external-auth-server. I guess in this case Redis is optional.

I use the following configuration, just to check whether all the other stuff is correct:

let config_token = {
  aud: "mydomain.io",
  eas: {
    plugins: [{
      type: "oidc",
      issuer: {
        discover_url: "https://accounts.google.com/.well-known/openid-configuration",
      },
      client: {
        client_id: "myid.apps.googleusercontent.com",
        client_secret: "mysecret"
      },
      scopes: ["openid", "email", "profile"], // must include openid
    redirect_uri: "https://auth.domain.io/oauth/callback",
    features: {
        cookie_expiry: true,
        userinfo_expiry: true,
        session_expiry: true,
        session_expiry_refresh_window: 60 * 30, // Google's access_token expires within 60min
        session_retain_id: true,
        refresh_access_token: true,
        fetch_userinfo: true,
        introspect_access_token: false, // Not supported by Google
        authorization_token: "access_token"
    },
    assertions: {
        exp: true,
        nbf: true,
        iss: true,
        userinfo: [ {
          query_engine: "jp",
          query: "$.email",
          rule: {
            method: "in",
            value: ["myemailr@gmail.com"],
            case_insensitive: false
          }
        } ]
    },
    cookie: {
        domain: "mydomain.io", 
    },
    headers: {},
}]
  }
};

Google’s access_token has a validity of 60 minutes.

Thank you. Best Danny

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 26 (15 by maintainers)

Most upvoted comments

Thank you, the request to google now inculdes the access_type=offline parameter. Is there a simple method to check whether eas can retrieve and use it? Because this part is hidden from the browser. According to google, eas has to retrieve the refresh_token from the token endpoint, together with the other tokens (id_token and access_token).

I will give you feedback from a front-end perspective whether I have to re-authenticate after an hour or not 😉

+1
dannyyy on Feb 3, 2020
Read more comments on GitHub
← travis.rb: unable to login to pro
external-auth-server: [BUG] uncaughtException: Cannot read properties of undefined (reading 'match') →