The UserInfo function of the go-oidc library doesn't expose details
about the HTTP response from the OIDC Provider, if the request fails.
This makes it impossible to detect if the returned code is 401, in
which case the user's session at the AuthService should be revoked.
Initially, we were revoking the session on any error, but this caused
undesired revocations because of errors we hadn't thought of (context
cancellation).
Reimplement the call to UserInfo and expose HTTP response details to the
caller, so they can make a sensible decision.
The
UserInfo
function of thego-oidc
library doesn't expose details about the HTTP response from the OIDC Provider, if the request fails. This makes it impossible to detect if the returned code is401
, in which case the user's session at the AuthService should be revoked.Initially, we were revoking the session on any error, but this caused undesired revocations because of errors we hadn't thought of (context cancellation).
Reimplement the call to UserInfo and expose HTTP response details to the caller, so they can make a sensible decision.
Related: https://github.com/coreos/go-oidc/issues/248