Azure OIDC Expired Tokens Redirect URL Issue

[nekrondev]

I've setup a protected website for my teams internal HTML documentation using the Azure OIDC Enterprise application configuration. Authentication works like charm however if the token expires, e.g. after you continue reading documentation after a lunch break, the http redirect to Azure OIDC provider for re-issuing a new token will always create an Azure authentication error.

I did some investigations and it seems to be that the login_hint parameter send to Azure OIDC endpoint includes the redirect_url parameter that is not supported by Azure. If I remove that parameter from the GET request re-authentication and redirect to Caddy security auth portal is working.

So in case of an expired token and using Azure OIDC provider your only choice currently is to set disable auth redirect query inside the authorization policy configuration.

This works as a workaround because now in case of an expired token you will be redirected to Caddy security authorization portal but not the referring documentation page where the token expired and you left reading the docs.

Question: Is there a way to redirect instead of Azure OIDC endpoint in case of an expired token to Caddys auth endpoint which applies the redirect_url parameter so you will continue on the web page where you left?

Caddy security docs reads (https://authp.github.io/docs/authorize/auto-redirect-url ):

Importantly, if the plugin finds expired token, it attempts to extract the token's issuer value. Then, it checks whether the value starts with http. If it is, then the set auth url will be overwritten with the issuer's web address.

[nekrondev]

Ok I fixed it myself but there is an issue reported here (https://github.com/greenpau/go-authcrunch/issues/23).

[greenpau]

@nekrondev , the fix is now a part of v1.1.15 release.