freben
commented
5 days ago Am I understanding it right that even if the immediate refresh wasn't there, users would have a suddenly expired session after a while, and a broken Backstage experience? Just out of curiosity, how long is that expiry? Is this an intermediate state of things or is there some path forward where you can achieve refreshable sessions?
Either way, sure, if there is a way of avoiding this safely (without breaking other assumptions), then that sounds like a useful fix.
mcintoac-aws
π Description
With the
enableExperimentalRedirectFlowoption which was first introduced in this PR, after login, a request is immediately made to the/refreshendpoint. This requires the existence of theoauth2-refresh-tokensession cookie, which is set from theresult.sessionobject. If a refresh token is therefore not included in the response from the provider, this cookie is not set, and the requests throws an error which prevents login.π Expected behavior
On login, a request is not made to the
/refreshendpoint, and therefore a refresh token is not required to allow initial login. Whether your identity provider doesn't support refresh flow, or doesn't have it enabled, login should still be allowed within the expiration of the original access token.π Actual Behavior with Screenshots
π Reproduction steps
Set the
enableExperimentalRedirectFlow: trueoption in your config file, then attempt to login to an identity provider which does not return a refresh token in it's /token response.π Provide the context for the Bug.
This was first introduced in this PR.
A comment chain on the CR between the implementer and @Rugvip seems to be somewhat related, notably:
π₯οΈ Your Environment
Browser: Google Chrome
π Have you spent some time to check if this bug has been raised before?
π’ Have you read the Code of Conduct?
Are you willing to submit PR?
Yes I am willing to submit a PR!