search

solo-io / gloo

The Feature-rich, Kubernetes-native, Next-Generation API Gateway Built on Envoy
https://docs.solo.io/
Apache License 2.0
4.09k stars 438 forks source link

Okta OIDC - without a refresh token, when the access and id tokens are both expired a 500 is returned #7861

Open bdecoste opened 1 year ago

bdecoste commented 1 year ago

Gloo Edge Version

1.13.x (latest stable)

Kubernetes Version

None

Describe the bug

When using Okta OIDC without a refresh token, when the access and id tokens are both expired request will return a 500. The request should be redirected back the IdP login page.

Steps to reproduce the bug

  1. Configure Okta OIDC with allowRefreshing false
  2. Configure Okta so that the expiration of the access token < expiration of id token (60 mins)
  3. Send a request and go through the OIDC flow.
  4. Wait 1 hour until the id token expires and send another request
  5. A 500 is returned. This should redirect to the Okta login page

Expected Behavior

When there is no refresh token and the access and id tokens are expired a request should redirect to the Okta login page

Additional Context

No response

soloio-bot commented 1 year ago

Zendesk ticket #2338 has been linked to this issue.

edubonifs commented 1 year ago

With the following steps, our customer managed to workaround this issue:

  1. Okta Application: Enabled refresh_tokens
  2. Gloo Edge: Added "offline_access" scope to /authorize request (in AuthConfig resource)
soloio-bot commented 10 months ago

Zendesk ticket #1410 has been linked to this issue.

github-actions[bot] commented 4 months ago

This issue has been marked as stale because of no activity in the last 180 days. It will be closed in the next 180 days unless it is tagged "no stalebot" or other activity occurs.