search

nginxinc / nginx-openid-connect

Reference implementation of OpenID Connect integration for NGINX Plus
https://www.nginx.com/products/nginx/
Other
198 stars 94 forks source link

Optional ID token should not be required on token refresh #102

Open anderius opened 1 month ago

anderius commented 1 month ago

Our setup fails to refresh tokens, simply because our IdP does not return id_token in the refresh token response.

As can be seen here, that is optional: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.

The code here, however, requires id_token:

https://github.com/nginxinc/nginx-openid-connect/blob/afa8f4c01cee5da509e74cdfcf837df088a70b13/openid_connect.js#L85-L92

It would be nice if id_token was not required.

anderius commented 4 weeks ago

Another very related issue with the code is that it uses the id token in the variable session_jwt, and that is used in validating each request:

https://github.com/nginxinc/nginx-openid-connect/blob/afa8f4c01cee5da509e74cdfcf837df088a70b13/frontend.conf#L21

This does not work when the id-token is not refreshed.