search

bitly / oauth2_proxy

A reverse proxy that provides authentication with Google, Github or other provider
MIT License
5.1k stars 1.21k forks source link

OpenID Connect: refreshing the cookie #523

Open scr4tchy opened 6 years ago

scr4tchy commented 6 years ago

Hi,

When https://github.com/bitly/oauth2_proxy/pull/389 was implemented, it seems that the RefreshSessionIfNeeded function's definition is dummy? Why would we not use the refresh token instead and actually refresh the session?

Right now, if cookie-refresh is set, the dummy function is executed, and the code proceeds to ValidateSessionState (saveSession && !revalidated), which throws the ugly removing session. error validating and instantly de-authenticate.

In other words, as of now, if -cookie-expire=24h and -cookie-refresh=1h, instead of having at least 24h worth of session, or infinity if the page is visited every < 24h, we get dope 1h long sessions.

/cc @ericchiang

JoelSpeed commented 6 years ago

I believe #621 solves this issue?