johnhieu
commented
4 years ago The documentation doesn't specify that refresh token is ignored completely when using /oauth/login (refresh token is not stored will not be stored in cookie or redis). Only when looking at the source code in handlers.go that you know the refresh token is ignored.
A temporary solution for this problem is to modify the code in handlers.go. The loginHandler doesn't have the code to store Refresh Token. oauthCallbackHandler on line 175 contains the code for storing refresh tokens. You can copy and put in loginHandler with a little bit of modification and it should be ready to be built and used. I have tested on my docker and seems that it works as expected.
What:
When /oauth/login endpoint is enabled by "enable-login-handler" only the access token is added as a cookie. The refresh token is ignored and only returned inside the body of the response.
The problem with this that the refresh token from the body cannot be used to refresh the access token. This is because the refresh token is not getting stored in redis even if store-uri parameter is set. Also the client cannot set the cookie from the response body as a cookie since that needs to be encrypted.
Reference: