Closed ronnybremer closed 2 months ago
I verified the code and it is taking a newly returned refresh token into account (stores it into the session, so it's used at the next refresh token call). However, the culprit might lie a few lines later:
After successfully using the refresh token to get a new access token (an in my case refresh token) it does generate a new session ID, invalidating the previous session. Why is this necessary? Couldn't the new tokens being stored at the session object and used with the same session ID?
see https://github.com/zmartzone/lua-resty-openidc/issues/190 for an explanation why we are creating a new session here.
Oh, I talked about "the initial flow" in #452 because it was the first refresh. Of course lua-resty-openidc not only replaces the access token on refresh but all tokens it receives (there may be a new id token or not, there should be a new refresh token).
Thank you @bodewig for the pointer, I understand the reasoning now.
In fact, I am trying comprehend the logic behind an issue I see in APISIX's OIDC plugin, which uses openidc-resty. When the IDP returns a refresh token, it sometimes gets used to get a new access token, other times not. Also I never see a second attempt to refresh a token, it just redirects to the authentication workflow. And for API access (which doesn't support redirects), it somehow doesn't end up using the local function openidc_access_token, so the access token never gets refreshed and a DENIED is returned.
I will close this issue now, as the code in here seems to do what it is supposed to do and I will further dive into APISIX.
When your token expires lua-resty-openidc will try o obtain a new one using the refresh token it has obtained when the initial flow completed.
Originally posted by @bodewig in https://github.com/zmartzone/lua-resty-openidc/issues/452#issuecomment-1257182462
This seems to indicate, that lua-resty-openidc does not support rotating refresh tokens (a new refresh token is returned when refreshing a token with it, and needs to be used for the next refresh). Is that true?