search

k8sgateway / k8sgateway

The Cloud-Native API Gateway and AI Gateway
https://k8sgateway.io/
Apache License 2.0
4.13k stars 449 forks source link

OIDC - expired access token is allowed if id token is unexpired #7860

Open bdecoste opened 1 year ago

bdecoste commented 1 year ago

Gloo Edge Version

1.13.x (latest stable)

Kubernetes Version

None

Describe the bug

If an OIDC request is made with an expired access token but the id token is unexpired then the request is allowed

Steps to reproduce the bug

  1. Configure a Route w/OIDC configured
  2. Configure the provider so that the access token has a smaller expiration time than the id token (e.g. Okta as the Okta id token expiration is hardcoded to 60 mins)
  3. Send a request and go through the OIDC flow
  4. Wait until the access token has expired but before the id token has expired
  5. Note the request is still accepted

Expected Behavior

When the access token has expired (and there is no refresh or the refresh has expired) then the request should be rejected and redirect back to the IdP

Additional Context

No response

github-actions[bot] commented 5 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.