id_token validation doesn't work when silent auth is disabled

zmartzone / lua-resty-openidc

OpenID Connect Relying Party and OAuth 2.0 Resource Server implementation in Lua for NGINX / OpenResty

Apache License 2.0

974 stars 248 forks source link

I've observed that once silent auth is disabled (refresh_session_interval=nil) then no validation comes for id_token. You can use it till session's end life, which can be adjusted by session_cookie_lifetime variable, even if you logout!

Environment

lua-resty-openidc version 1.7.4
OpenID Connect provider Azure AD
refresh_session_interval=nil
session storage = cookie
token type = id_token

Expected behaviour

Once you logout and your id_token is expired (exp token field) request should be rejected/redirected to the login page.

Actual behaviour

You can use outdated id_token after logout till it's session expiration, configured by session_cookie_lifetime variable

Minimized example

local opts = {
  session_contents = {id_token=true,enc_id_token=false,user=false,access_token=false}
  refresh_session_interval = nil
}

Configuration and NGINX server log files

Config and logs for the minimized example, possibly provided as attachments.

I've observed that if I enable access_token=true in session_contents and add proper configuration in Azure ID then validation works fine for access token even if silent auth is disabled. BUT if you try to logout, refresh token is still working! so your id_token with access token will be accepted after refresh with refresh token even if you previously logged out!

ID token expiration is not validated at all if access token is disabled.

[edit] I've tried to use revoke_tokens_on_logout=true but during logout I see following message: no revocation endpoint supplied. unable to revoke refresh token

As I see neither Keycloak or AzureAD do not provide it revocation_endpoint field in their discovery endpoints

How to make Refresh Token obsolete then?

zmartzone / lua-resty-openidc