The gatekeeper may now check for some scopes to be in the access token.
Our use case is to be able to specialize gateways and allow only some
users to connect via a gateway.
Adding this new check on the token raised an issue: whenever a user is
rejected by the reverse proxy gateway, but yet has a valid OIDC session
(e.g. valid but missing some scopes), the redirection workflow has to
revoke the session so the end user does not remain locked on this error
page and can restart a full workflow with a new identity.
error handling: allowing more details to go down to the end user about
the cause of the error
logout handler: factored out the common logout/session revocation
logic so it is called either from the logout endpoint (with success) or
from the OAuth callback handler whenever it fails on the token
validation (with 403 error)
logout: added some debug messages to that part, which exhibits many
variants
logger: added the capability to decorate the internal logger with
fields (while still maintaining the logs to trace span feature)
Signed-off-by: Frederic BIDON frederic@oneconcern.com
The gatekeeper may now check for some scopes to be in the access token.
Our use case is to be able to specialize gateways and allow only some users to connect via a gateway.
Adding this new check on the token raised an issue: whenever a user is rejected by the reverse proxy gateway, but yet has a valid OIDC session (e.g. valid but missing some scopes), the redirection workflow has to revoke the session so the end user does not remain locked on this error page and can restart a full workflow with a new identity.
Changes: