quarkus-oidc does not check expiry timestamp of refresh token, resulting in failed refresh call.

[jens-crelan]

Describe the bug

We are using quarkus-oidc in our project. Our identity server is configured with the following settings:

ID token lifespan: 5m
Access token lifespan: 5m
Refresh token lifespan: 30m

In a normal case, you would set quarkus.oidc.authentication.session-age-extension to 25m. We have a case where we wanted to close the session when the user closes his browser, so we modified the session cookies to have a 'Session' lifespan. This extends the quarkus session beyond those 30m.

We observed that after 30 minutes of inactivity, an attempt is made to refresh the id token. This request will fail, because the refresh token is expired. The refresh token has an expiry date, which could be checked before the refresh request.

Expected behavior

When an id token is expired, quarkus should check if the refresh token is expired. If the refresh token is expired, quarkus should not make an attempt te refresh the id token.

Actual behavior

Currently a ID token refresh is attempted without checking the expiry time of the refresh token.

How to Reproduce?

1. Modify the config so a quarkus session lives longer than a refresh token. For example:
   • refresh token age: 30m
   • quarkus.oidc.authentication.session-age-extension set to 1h
2. Succesfully log into your application
3. Stay idle for longer than 30m but not longer than 1h
4. Interact with your application
5. You will see the "Token as expired, trying to refresh it" debug log.

Output of uname -a or ver

No response

Output of java -version

java 17.0.5 2022-10-18 LTS

Quarkus version or git rev

3.6.1

Build tool (ie. output of mvnw --version or gradlew --version)

No response

Additional information

No response

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

@jens-crelan Is it in JWT format ? if yes, we can check if it itself has expired.

[jens-crelan]

@sberyozkin yes it is