search

jkroepke / openvpn-auth-oauth2

openvpn-auth-oauth2 is a plugin/management interface client for OpenVPN server to handle an OIDC based single sign-on (SSO) auth flows
https://github.com/jkroepke/openvpn-auth-oauth2/wiki
MIT License
173 stars 27 forks source link

The re-authentication of openvpn #296

Closed lsx1205 closed 2 months ago

lsx1205 commented 3 months ago

Problem Statement

293 The error message of this problem is not based on the config.yml configuration file of /etc/openvpn-auth-oauth2 for token authentication.

According to the following? auth and token? oauth2: 。。。。。。。。 endpoint: discovery: "https://door.casdoor.com/.well-known/openid-configuration" auth: "https://door.casdoor.com/login" token: "https://door.casdoor.com/tokens" 。。。。。。

openvpn-auth-oauth2 logs

time=2024-08-06T19:01:42.124+08:00 level=WARN msg="error from token exchange: error from token exchange: ErrorType=invalid_grant Description=refresh token is invalid, expired or revoked" ip=xxxxxxxx:56544 cid=1 kid=3 common_name="" reason=REAUTH session_id=3+9ozig4QCC5ebFf session_state=AuthenticatedEmptyUser
time=2024-08-06T19:01:42.125+08:00 level=INFO msg="start pending auth" ip=xxxxxxxx:56544 cid=1 kid=3 common_name="" reason=REAUTH session_id=3+9ozig4QCC5ebFf session_state=AuthenticatedEmptyUser

Environment

lsx1205 commented 3 months ago

Is this token stored in memory? Or do I need to configure the auth and token parameters of the /etc/openvpn-auth-oauth2/config.yml file first to obtain the token value and store it in memory? Re-authenticate tokens after authentication expires?

jkroepke commented 3 months ago

The tokens are stored on memory for each user. Token and Auth endpoints should be only configured, if auto discovery are not working.

Only the refresh token will be stored, not the access token. Maybe casdor has a distinct configuration for refresh token lifetime. It seems that refresh token lifetime is too low.

Session lifetime is related to access token, which will not be used by openvpn-auth-oauth2

lsx1205 commented 3 months ago

The tokens are stored on memory for each user. Token and Auth endpoints should be only configured, if auto discovery are not working.

Only the refresh token will be stored, not the access token. Maybe casdor has a distinct configuration for refresh token lifetime. It seems that refresh token lifetime is too low.

Session lifetime is related to access token, which will not be used by openvpn-auth-oauth2

It means that the re-authentication is implemented according to refresh token, which is stored in the memory. The refresh token of my casdoor is set to 168 hours, but it seems to have no effect. According to the above error log, I don't think the oauth2 plugin gets refresh token information.

jkroepke commented 3 months ago

If openvpn-auth-oauth2 doesnt get a refresh token, a warning will be logged.

I guess on debug log level, the token will be logged. You could grab an decode the token and validate if expire date is correct.

lsx1205 commented 3 months ago

No, I don't see any record of the token at the debug logging level. session_state is AuthenticatedEmptyUser `time=2024-08-07T14:29:14.109+08:00 level=DEBUG

log: msg=">CLIENT:REAUTH,1,3\r\n>CLIENT:ENV,n_clients=1\r\n>CLIENT:ENV,password=SESS_ID_AT_bFvyQQ5t1NekzmhzAAAAAGazE8MAAAAAZrMTw4JKQtAMa1fVfM/hz7eFiY4c4Lu53NYse4K5uJYKAM8L\r\n>CLIENT:ENV,session_id=bFvyQQ5t1Nekzmhz\r\n>CLIENT:ENV,session_state=AuthenticatedEmptyUser\r\n>CLIENT:ENV,untrusted_port=9793\r\n>CLIENT:ENV,untrusted_ip=xxxxxxxxx\r\n>CLIENT:ENV,common_name=\r\n>CLIENT:ENV,username=\r\n>CLIENT:ENV,IV_SSO=webauth,crtext\r\n>CLIENT:ENV,IV_GUI_VER=OCmacOS_3.4.9-4830\r\n>CLIENT:ENV,IV_AUTO_SESS=1\r\n>CLIENT:ENV,IV_LZO=1\r\n>CLIENT:ENV,IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305\r\n>CLIENT:ENV,IV_MTU=1600\r\n>CLIENT:ENV,IV_PROTO=990\r\n>CLIENT:ENV,IV_TCPNL=1\r\n>CLIENT:ENV,IV_NCP=2\r\n>CLIENT:ENV,IV_PLAT=mac\r\n>CLIENT:ENV,IV_VER=3.8.2connect3\r\n>CLIENT:ENV,ifconfig_pool_netmask=255.255.255.0\r\n>CLIENT:ENV,ifconfig_pool_remote_ip=192.168.100.2\r\n>CLIENT:ENV,time_unix=1723012035\r\n>CLIENT:ENV,time_ascii=2024-08-07 14:27:15\r\n>CLIENT:ENV,trusted_port=9793\r\n>CLIENT:ENV,trusted_ip=xxxxxxxxx\r\n>CLIENT:ENV,remote_port_1=9194\r\n>CLIENT:ENV,local_port_1=9194\r\n>CLIENT:ENV,proto_1=tcp-server\r\n>CLIENT:ENV,daemon_pid=1420179\r\n>CLIENT:ENV,daemon_start_time=1723011643\r\n>CLIENT:ENV,daemon_log_redirect=1\r\n>CLIENT:ENV,daemon=0\r\n>CLIENT:ENV,verb=3\r\n>CLIENT:ENV,config=server.conf\r\n>CLIENT:ENV,ifconfig_local=192.168.100.1\r\n>CLIENT:ENV,ifconfig_netmask=255.255.255.0\r\n>CLIENT:ENV,script_context=init\r\n>CLIENT:ENV,tun_mtu=1500\r\n>CLIENT:ENV,dev=tun0\r\n>CLIENT:ENV,dev_type=tun\r\n>CLIENT:ENV,redirect_gateway=0\r\n>CLIENT:ENV,END\r\n" time=2024-08-07T14:29:14.109+08:00 level=INFO msg="new client reauth" ip=xxxxxxxxx:9793 cid=1 kid=3 common_name="" reason=REAUTH session_id=bFvyQQ5t1Nekzmhz session_state=AuthenticatedEmptyUser time=2024-08-07T14:29:14.109+08:00 level=INFO msg="initiate non-interactive authentication via refresh token" ip=xxxxxxxxx:9793 cid=1 kid=3 common_name="" reason=REAUTH session_id=bFvyQQ5t1Nekzmhz session_state=AuthenticatedEmptyUser time=2024-08-07T14:29:14.181+08:00 level=WARN msg="error from token exchange: error from token exchange: ErrorType=invalid_grant Description=refresh token is invalid, expired or revoked" ip=xxxxxxxxx:9793 cid=1 kid=3 common_name="" reason=REAUTH session_id=bFvyQQ5t1Nekzmhz session_state=AuthenticatedEmptyUser time=2024-08-07T14:29:14.181+08:00 level=INFO msg="start pending auth" ip=xxxxxxxxx:9793 cid=1 kid=3 common_name="" reason=REAUTH session_id=bFvyQQ5t1Nekzmhz session_state=AuthenticatedEmptyUser time=2024-08-07T14:29:14.181+08:00 level=DEBUG msg="client-pending-auth 1 3 "WEB_AUTH::http://xxxxxxxxx:443/oauth2/start?state=Hn-tcpPqweBY71sV9--amGwiHrYGyJo5ToBSnPXqxJQWuZKdCFEPB-VmZyGt8fRXj_EtZhHZPMjd8PY8pcPEMdZ7XYRbvUAmpSBXxQ\" 120"`

jkroepke commented 3 months ago

You are right, there is no logging for such sensitive data

lsx1205 commented 3 months ago

I have a feeling casdoor didn't pass refresh into the oauth2 plug-in, is that possible?

jkroepke commented 3 months ago

That case it at least covered and should raise a warning on initial login:

https://github.com/jkroepke/openvpn-auth-oauth2/blob/dbd87e11cf526941506a53b872a743a10b0f5df1/internal/oauth2/providers/generic/user.go#L19-L31

lsx1205 commented 3 months ago

Yes, If I specify the url of the auth and token in the /etc/openvpn-auth-oauth2/config.yml file, then I do get a message that maybe my url address is incorrectly provided. Is id_token refresh token? time= 2024-08-07T15:58:40.0568 +08:00 level=WARN msg="provider did not return a id_token. Validation of user data is not possible." cid=11 kid=1 session_id=jC4doBc0ysAyMACO common_name=""

If I do not specify the url of the auth and token, I will get the following error: time=2024-08-07T16:35:08.188+08:00 level=WARN msg="error from token exchange: error from token exchange: ErrorType=invalid_grant Description=refresh token is invalid, expired or revoked" cid=18 kid=3 common_name="" reason=REAUTH session_id=VJdnfuo8wPVcakC2 session_state=AuthenticatedEmptyUser

jkroepke commented 3 months ago

You are right, an empty refresh token is not covered by openvpn-auth-oauth2 and not logged anywhere.

But if the id_token is missing, the chance is extremly high to not getting an refresh_token

lsx1205 commented 3 months ago

hi brother, I did an experiment and using the curl command to send a post request can get the refresh token information, does this mean that my casdoor can return the refresh token information correctly? The problem is the configuration of oauth2, am I right? But I can't find out exactly what is wrong with my oauth2 configuration, can you give me some advice?

test:

# curl -X POST https://door.cas.com/api/login/oauth/access_token \
  -d "client_id=cxxx1xx7xxxxxxxad9f" \
  -d "client_secret=exxxxx84adxxxxxxxxxx000dc0ef0xxxxxxd9" \
  -d "grant_type=authorization_code" \
  -d "code=c5e3f24b482ce26aba44" \
  -d "redirect_uri=http://xxxxxxxxx/oauth2/callback" | jq .
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3827  100  3631  100   196  64839   3500 --:--:-- --:--:-- --:--:-- 69581
{
  "access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImNlcnQtYnVpbHQtaW4iLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiYzJkZDE0NjcyZTc0MDM4N2FkOWYiXSwiZXhwIjoxNzIzNjkyMDA0LCJpYXQiOjE3MjMwODcyMDQsImlzcyI6Imh0dHBzOi8vZGV2LWNhcy5pbGlleGlhbmcuY29tIiwianRpIjoiYWRtaW4vMDMyODBjYjItNTU5Yi00ZjI4LTlkMzMtOTU4M2I3ZmY2N2EyIiwibmJmIjoxNzIzMDg3MjA0LCJub25jZSI6IiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgb2ZmbGluZV9hY2Nlc3MiLCJzdWIiOiIyMmEwNGVlZi0yZDExLTQyZTgtYTY5Ni0wMDlmMWY3NzRlNDQiLCJ0YWciOiJzdGFmZiIsInRva2VuVHlwZSI6ImFjY2Vzcy10b2tlbiJ9.fzgfS4ISHimWjGVdLExVPVcbW1MU82USVtYvGItgoVV3Qj1XWNvxOU1VH-YuWINg-8rmrGDh4fqLSEhksxZReiIsPSCtuLJUkmyRDtP5P2eCmrnxkxbQRKuF_4coY0A1ur1bvvNWC-R1cP-D5cjoB96hdiBkkTh0QILNOKCmsXaNpIMjx6YTKuL3--0sSBRC1jhsgSiXcJM5zMkHlCylmM2BMMK8QZtNtGucQhw7_D-7HsXrKntbpdX_3CaOMPMt7EbAGbWGABc8VtpRhASK-G6rDQPtFZgJfLPNdI9tDG0khq2CR2Yh-V4vP3qeSEpcPFdyVi7pacD2M0zAvA0-HWCok03iIr8S8b3cm-caWqlW71eelUOkOLasQ_PFF-r_3dHffhhEs6-7euotuH-OqhW1Pub63mwFapGm-XKRAmwc8qVR5sGzcF6SgrikomoKaygvDFgu3Cav5-5QjryC-j6Dlf0vP_Kj8aPLzFeTcflulzrTenjcVIPgvgbxpHbktnxvlxjg7Eefg8aNr401_bbeTeiExYKWxqAcE5ZfluCEMOu07Q3PBQH83lrNS3ayhKOJpLg7DFzCyKmXrRdWDgYKj_LEYKi7SPNId_v43reYQAjXM23x2dWDBp2rtmPxQ7hl6RSpUQ6GlqOCD7IUMYAOpZil2Hju7fS2hHK_HjY",
  "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6ImNlcnQtYnVpbHQtaW4iLCJ0eXAiOiJKV1QifQ.eyJhdWQiOlsiYzJkZDE0NjcyZTc0MDM4N2FkOWYiXSwiZXhwIjoxNzIzNjkyMDA0LCJpYXQiOjE3MjMwODcyMDQsImlzcyI6Imh0dHBzOi8vZGV2LWNhcy5pbGlleGlhbmcuY29tIiwianRpIjoiYWRtaW4vMDMyODBjYjItNTU5Yi00ZjI4LTlkMzMtOTU4M2I3ZmY2N2EyIiwibmJmIjoxNzIzMDg3MjA0LCJub25jZSI6IiIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUgb2ZmbGluZV9hY2Nlc3MiLCJzdWIiOiIyMmEwNGVlZi0yZDExLTQyZTgtYTY5Ni0wMDlmMWY3NzRlNDQiLCJ0YWciOiJzdGFmZiIsInRva2VuVHlwZSI6ImFjY2Vzcy10b2tlbiJ9.fzgfS4ISHimWjGVdLExVPVcbW1MU82USVtYvGItgoVV3Qj1XWNvxOU1VH-YuWINg-8rmrGDh4fqLSEhksxZReiIsPSCtuLJUkmyRDtP5P2eCmrnxkxbQRKuF_4coY0A1ur1bvvNWC-R1cP-D5cjoB96hdiBkkTh0QILNOKCmsXaNpIMjx6YTKuL3--0sSBRC1jhsgSiXcJM5zMkHlCylmM2BMMK8QZtNtGucQhw7_D-7HsXrKntbpdX_3CaOMPMt7EbAGbWGABc8VtpRhASK-G6rDQPtFZgJfLPNdI9tDG0khq2CR2Yh-V4vP3qeSEpcPFdyVi7pacD2M0zAvA0-HWCok03iIr8S8b3cm-caWqlW71eelUOkOLasQ_PFF-r_3dHffhhEs6-7euotuH-OqhW1Pub63mwFapGm-XKRAmwc8qVR5sGzcF6SgrikomoKaygvDFgu3Cav5-5QjryC-j6Dlf0vP_Kj8aPLzFeTcflulzrTenjcVIPgvgbxpHbktnxvlxjg7Eefg8aNr401_bbeTeiExYKWxqAcE5ZfluCEMOu07Q3PBQH83lrNS3ayhKOJpLg7DFzCyKmXrRdWDgYKj_LEYKi7SPNId_v43reYQAjXM23x2dWDBp2rtmPxQ7hl6RSpUQ6GlqOCD7IUMYAOpZil2Hju7fS2hHK_HjY",
  "refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJUb2tlblR5cGUiOiJyZWZyZXNoLXRva2VuIiwiYXVkIjpbImMyZGQxNDY3MmU3NDAzODdhZDlmIl0sImV4cCI6MTcyMzY5MjAwNCwiaWF0IjoxNzIzMDg3MjA0LCJpc3MiOiJodHRwczovL2Rldi1jYXMuaWxpZXhpYW5nLmNvbSIsImp0aSI6ImFkbWluLzAzMjgwY2IyLTU1OWItNGYyOC05ZDMzLTk1ODNiN2ZmNjdhMiIsIm5iZiI6MTcyMzA4NzIwNCwibm9uY2UiOiIiLCJzY29wZSI6Im9wZW5pZCBwcm9maWxlIG9mZmxpbmVfYWNjZXNzIiwic3ViIjoiMjJhMDRlZWYtMmQxMS00MmU4LWE2OTYtMDA5ZjFmNzc0ZTQ0IiwidGFnIjoic3RhZmYiLCJ0b2tlblR5cGUiOiJhY2Nlc3MtdG9rZW4ifQ.OXkguZuKserLw-L7coZ_hg7Vlxxm9IvCULsh582v_tWHeFEf2ULkv68GKTlxfVj24MDtiA57cbHjhjrZyRNKJVXmC0Fv1at6fLGxKdVCpPdliKmaIa_Ic23MsNkB8kxRfZhAYglQg6Y9fHxf6WVf17cxFdEAsn77ggxMjv_4A3h_I-y8SbhdLzMkjz1Qqx_0hSztVB02giQj1IZSi6oZopq_RDdKDL5p1DSM0FBQMODh3OSdE4nctdRMxZ9mpx6WoDvd0_ce-MdAUZC08upcYA31jzySxhCndLhceJi9BWKdxmmEY5Or6e5CzLRlM7-J7nU-l8ITBcOCavzaQUzl9YrjJsAqjiYqzTyS7Y28k2866-1hoQEWi1nY7kNv6aqqydD2TPPg1jRr_4-bLWIwxe9CAdIv-ExDvOOgumYel0qbY9BDJ4Nhi_FgARQHxtMdWVkH4UaFNGdrEduXOlNsXnY-4T9ITVAeGNwrm4FYis0KbnIBDZAdFkwYWdkE4JDIqOS6g9SpJ9_V_bsuwiZLadWtyU9G5NvEAtV3pYVPfDaIp1w_4rCl_G5D4soXHf4O2RAX2kHaDHw3E24TeNjwA5IUDb0szllxDlEIPrB3EvbEFknxYjGP2QEyezTZS320m76NGPVVeIeg2ClbQ6LY8HyGVQlOkC3OfyuN3CLX6zc",
  "token_type": "Bearer",
  "expires_in": 604800,
  "scope": "openid profile offline_access"
}
jkroepke commented 3 months ago

You curl a different URL as configured

token: "https://door.casdoor.com/tokens"

lsx1205 commented 3 months ago

The url is invalid, does not contain token information, and the -v option returns html instead of json

The url above is according to the official casdoor OIDC found URL:https://door.casdoor.com/.well-known/openid-configuration configuration

jkroepke commented 3 months ago

If casdoor provide an discovery endpoint, just remove the manual endpoint configuration from openvpn-auth-oauth2 config and let openvpn-auth-oauth2 discover the correct settings

lsx1205 commented 3 months ago

However, if the url of casdoor's discovery endpoint is used, an error will be reported when the openvpn configured renge-sec time is reached.

time=2024-08-08T14:07:35.691+08:00 level=DEBUG msg=">CLIENT:REAUTH,0,3\r\n>CLIENT:ENV,n_clients=1\r\n>CLIENT:ENV,password=SESS_ID_AT_byZhyF1217DwEf+3AAAAAGa0YDkAAAAAZrRgOW4wfpAohGOEqRszHXvZaAVBmLAOScb9CqiGcQqAobiH\r\n>CLIENT:ENV,session_id=byZhyF1217DwEf+3\r\n>CLIENT:ENV,session_state=AuthenticatedEmptyUser\r\n>CLIENT:ENV,untrusted_port=19809\r\n>CLIENT:ENV,untrusted_ip=xxxxxxxxx\r\n>CLIENT:ENV,common_name=\r\n>CLIENT:ENV,username=\r\n>CLIENT:ENV,IV_SSO=webauth,crtext\r\n>CLIENT:ENV,IV_GUI_VER=OCmacOS_3.4.9-4830\r\n>CLIENT:ENV,IV_AUTO_SESS=1\r\n>CLIENT:ENV,IV_LZO=1\r\n>CLIENT:ENV,IV_CIPHERS=AES-128-CBC:AES-192-CBC:AES-256-CBC:AES-128-GCM:AES-192-GCM:AES-256-GCM:CHACHA20-POLY1305\r\n>CLIENT:ENV,IV_MTU=1600\r\n>CLIENT:ENV,IV_PROTO=990\r\n>CLIENT:ENV,IV_TCPNL=1\r\n>CLIENT:ENV,IV_NCP=2\r\n>CLIENT:ENV,IV_PLAT=mac\r\n>CLIENT:ENV,IV_VER=3.8.2connect3\r\n>CLIENT:ENV,ifconfig_pool_netmask=255.255.255.0\r\n>CLIENT:ENV,ifconfig_pool_remote_ip=192.168.100.2\r\n>CLIENT:ENV,time_unix=1723097145\r\n>CLIENT:ENV,time_ascii=2024-08-08 14:05:45\r\n>CLIENT:ENV,trusted_port=19809\r\n>CLIENT:ENV,trusted_ip=xxxxxxxxx\r\n>CLIENT:ENV,remote_port_1=9194\r\n>CLIENT:ENV,local_port_1=9194\r\n>CLIENT:ENV,proto_1=tcp-server\r\n>CLIENT:ENV,daemon_pid=1534323\r\n>CLIENT:ENV,daemon_start_time=1723097137\r\n>CLIENT:ENV,daemon_log_redirect=1\r\n>CLIENT:ENV,daemon=0\r\n>CLIENT:ENV,verb=3\r\n>CLIENT:ENV,config=server.conf\r\n>CLIENT:ENV,ifconfig_local=192.168.100.1\r\n>CLIENT:ENV,ifconfig_netmask=255.255.255.0\r\n>CLIENT:ENV,script_context=init\r\n>CLIENT:ENV,tun_mtu=1500\r\n>CLIENT:ENV,dev=tun0\r\n>CLIENT:ENV,dev_type=tun\r\n>CLIENT:ENV,redirect_gateway=0\r\n>CLIENT:ENV,END\r\n"
time=2024-08-08T14:07:35.691+08:00 level=INFO msg="new client reauth" ip=xxxxxxxxx:19809 cid=0 kid=3 common_name="" reason=REAUTH session_id=byZhyF1217DwEf+3 session_state=AuthenticatedEmptyUser
time=2024-08-08T14:07:35.691+08:00 level=INFO msg="initiate non-interactive authentication via refresh token" ip=60.216.52.206:19809 cid=0 kid=3 common_name="" reason=REAUTH session_id=byZhyF1217DwEf+3 session_state=AuthenticatedEmptyUser
time=2024-08-08T14:07:35.762+08:00 level=WARN msg="error from token exchange: error from token exchange: ErrorType=invalid_grant Description=refresh token is invalid, expired or revoked" ip=xxxxxxxxx:19809 cid=0 kid=3 common_name="" reason=REAUTH session_id=byZhyF1217DwEf+3 session_state=AuthenticatedEmptyUser

Are there other commands or configurations that make refresh_token stored in memory? Is it the default?

lsx1205 commented 3 months ago

Dude, according to the documents, When oauth2.refresh.validate-user=true is set, openvpn-auth-oauth2 requests a refresh token during the initial connection and stores it.

The refresh tokens are stored in an in-memory key-value store and encrypted using AES. Each token is tied to either the OpenVPN client ID or OpenVPN session ID. Can I get the corresponding refresh token based on the session id? Or how do I know if oauth2 decrypts when it re-authenticates. Could it be a decryption error?

This is the parlance for Error codes for token endpoint errors

invalid_grant | The authorization code or PKCE code verifier is invalid or has expired. | Try a new request to the /authorize endpoint and verify that the code_verifier parameter was correct.
jkroepke commented 3 months ago

I will deliver some debug logging soon, e.g. logging tokens to stdout.

The authorization code or PKCE code verifier is invalid or has expired.

If endpoint configurations is omit, then openvpn-auth-oauth2 goes into OIDC mode with enhanced capabilities. One of them is PKCE. However, if casdoor is not compatible with PKCE, you may have to disable it

  --oauth2.pkce
        If true, Proof Key for Code Exchange (PKCE) RFC 7636 is used for token exchange. (env: CONFIG_OAUTH2_PKCE) (default true)
lsx1205 commented 3 months ago

Okay, thanks. I'll keep an eye on it

Now I set the nonce of /etc/openvpn-auth-oauth2/config.yml to false. When the time set by renge-sec is reached for the first time, the token refresh succeeds, but when the time is reached for the second time, if the set token time still exists, Then the refresh token still fails. Here is my configuration

openvpn:
auth-gen-token 60 external-auth
auth-gen-token-secret /etc/openvpn/keyfile
hand-window 10
reneg-sec 20

oauth2:
  nonce: false
  pkce: true
  refresh:
    enabled: true
    expires: 0h1m0s
    secret: "1jd93h5b6s82lf03jh5b2hf9"
    use-session-id: true
    validate-user: true

In other words, refreshing the token at the first 20 seconds will succeed, refreshing the token at the 40th second will fail, and the authentication at the jump url is invalid.

log:
time=2024-08-08T18:54:20.732+08:00 level=INFO msg="new client reauth" ip=xxxxxxxxx:64929 cid=0 kid=3 common_name="" reason=REAUTH session_id=VEDBiOajLVRRJbhq session_state=AuthenticatedEmptyUser
time=2024-08-08T18:54:20.733+08:00 level=INFO msg="initiate non-interactive authentication via refresh token" ip=xxxxxxxxx:64929 cid=0 kid=3 common_name="" reason=REAUTH session_id=VEDBiOajLVRRJbhq session_state=AuthenticatedEmptyUser
time=2024-08-08T18:54:20.785+08:00 level=INFO msg="successful authenticate via refresh token" ip=xxxxxxxxx:64929 cid=0 kid=3 common_name="" reason=REAUTH session_id=VEDBiOajLVRRJbhq session_state=AuthenticatedEmptyUser
time=2024-08-08T18:54:20.785+08:00 level=INFO msg="accept OpenVPN client cid 0, kid 3" ip=xxxxxxxxx:64929 cid=0 kid=3 common_name="" reason=REAUTH session_id=VEDBiOajLVRRJbhq session_state=AuthenticatedEmptyUser

time=2024-08-08T18:54:39.488+08:00 level=INFO msg="new client reauth" ip=xxxxxxxxx:64929 cid=0 kid=4 common_name="" reason=REAUTH session_id=VEDBiOajLVRRJbhq session_state=AuthenticatedEmptyUser
time=2024-08-08T18:54:39.488+08:00 level=INFO msg="initiate non-interactive authentication via refresh token" ip=xxxxxxxxx:64929 cid=0 kid=4 common_name="" reason=REAUTH session_id=VEDBiOajLVRRJbhq session_state=AuthenticatedEmptyUser
time=2024-08-08T18:54:39.509+08:00 level=WARN msg="error from token exchange: error from token exchange: ErrorType=invalid_grant Description=refresh token is invalid, expired or revoked" ip=xxxxxxxxx:64929 cid=0 kid=4 common_name="" reason=REAUTH session_id=VEDBiOajLVRRJbhq session_state=AuthenticatedEmptyUser
lsx1205 commented 3 months ago

Is it because the first refresh token is returned by casdoor, but the memory does not get the updated refresh token when the refresh token is re-performed? So the token is invalid?

jkroepke commented 3 months ago

Could you test #298, if it solves your issue?

Binary builds: https://github.com/jkroepke/openvpn-auth-oauth2/actions/runs/10309250241/artifacts/1792386916