search

zmartzone / lua-resty-openidc

OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty
Apache License 2.0
967 stars 247 forks source link

Refreshing tokens on non-GET requests #236

Open ghost opened 5 years ago

ghost commented 5 years ago
Environment
Expected behaviour

It could be nice to have possibility continue user request in oryginal form.

Actual behaviour

Token refreshing mechanism works for GET requests only. eg. POST requests will refresh token but they will be changed to GET request, and message body is lost as we only store "target url" before redirects. https://github.com/zmartzone/lua-resty-openidc/blob/master/lib/resty/openidc.lua#L1115

Minimized example

not needed

Configuration and NGINX server log files

not needed

zandbelt commented 5 years ago

Yes, certainly a nice-to-have but it comes with its own complexity of where to store the POST data and avoid all types of security (client-side) or DoS (server-side) attacks.

ghost commented 5 years ago

IMHO this information should be somewhere among library limitiations. It's quite common to have web-app in eg. React that upon loading it's js may only (or mostly perform POST request). lua-resty-oidc will not be able to maintain SSO session despite user continous interactions.

zandbelt commented 5 years ago

fair point indeed