Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AuthService assumes tokens are expired when the UserInfo call fails #32

Closed
apyrgio opened this issue Jul 13, 2020 · 1 comment
Closed

AuthService assumes tokens are expired when the UserInfo call fails #32

apyrgio opened this issue Jul 13, 2020 · 1 comment
Assignees
@yanniszark

Comments

@apyrgio
Copy link
Contributor

apyrgio commented Jul 13, 2020

While performing some tests on a long living session with strict session validation enabled, we noticed that requests started to fail after some point. We believe the reason was the following:

  1. The client probably closed the TCP connection after sending a request. This can happen if a browser sends a request and gets immediately interrupted, e.g., due to a refresh.
  2. The server detected the closed connection and send a cancellation signal to the context.
  3. The goroutine that was querying the user info got cancelled midway.
  4. We interpreted the failure to get the user info as an expired token, and we deleted the session. Unfortunately, we can't have an accurate description of the error, because the go-oidc library does not permit this (see: userinfo: expose http response information to library callers coreos/go-oidc#248).

We should properly detect the reason why the user info call fails, and delete the session only when we are positive that the token has expired.
@apyrgio apyrgio assigned apyrgio and yanniszark and unassigned apyrgio Jul 13, 2020
apyrgio pushed a commit that referenced this issue Jul 13, 2020
@yanniszark @apyrgio
oidc: Fix the way we call UserInfo
ef60d0a 
The UserInfo endpoint is called with an OAuth2 access token. The access
token expires after a while and then we must renew it with the refresh
token. Update the code so that it takes care of renewing the access
token.

Closes #32

Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
apyrgio pushed a commit that referenced this issue Jul 13, 2020
@yanniszark @apyrgio
oidc: Fix the way we call UserInfo
7154591 
The UserInfo endpoint is called with an OAuth2 access token. The access
token expires after a while and then we must renew it with the refresh
token. Update the code so that it takes care of renewing the access
token.

Closes #32
Github-PR: #31

Signed-off-by: Yannis Zarkadas <yanniszark@arrikto.com>
@yanniszark
Copy link
Contributor

Closing with PR: #31

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@yanniszark yanniszark

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@apyrgio @yanniszark