Validate a session using the access token in the OIDC provider

[gysel]

Some Identity Providers do not issue an updated ID Token when call the refresh endpoint.

This causes problems with the OIDC provider as it uses the ID Token to validate a session after a refresh.

I propose to validate the access token instead when --validate-url is set.

Description

Another solution would be to validate the ID token only during the initial session creation and skip the validation after the refresh. This seems to be the case with versions < v7.2.0.

Motivation and Context

Fixes #1640

How Has This Been Tested?

I use a similar version of this patch in production for several weeks now.

I will perform more tests on our side in the coming days.

Checklist:

• My change requires a change to the documentation or CHANGELOG.
• I have updated the documentation/CHANGELOG accordingly.
• I have created a feature (non-master) branch for my PR.

[gysel]

I will do more testing and update the CHANGELOG next week.

[JoelSpeed]

I was under the impression that the whole point of a refresh token was to refresh the ID Token, which provider are you using out of interest?

[gysel]

I was under the impression that the whole point of a refresh token was to refresh the ID Token,

It is valid, according to the specification, to only refresh the access token and not the ID Token.

Upon successful validation of the Refresh Token, the response body is the Token Response of Section 3.1.3.3 except that it might not contain an id_token.
Source: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse

which provider are you using out of interest?

We use oauth2-proxy with multiple customer and several IdPs. We found this problem so far only with Ping Identity.

[ghost]

zhanna.r29.09.84@gmail.com

[r-kotagudem]

@gysel gysel could you help with docker image of binary built from your fix branch hosted on docker hub?

[gysel]

@r-kotagudem I would not use binaries built by random strangers on the internet ;) You can easily build your own images, the Docker command to do so is in the Makefile (https://github.com/oauth2-proxy/oauth2-proxy/blob/master/Makefile#L55).

[r-kotagudem]

@r-kotagudem I would not use binaries built by random strangers on the internet ;) You can easily build your own images, the Docker command to do so is in the Makefile (https://github.com/oauth2-proxy/oauth2-proxy/blob/master/Makefile#L55).

thanks, my system had some docker related environment issues. and wanted to test with your changes.

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[gysel]

this is still relevant to us

[mjgp2]

Can we get this merged?

[gysel]

This is ready to be merged IMHO. Please let me know in case I should do any other changes.

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[gysel]

still relevant

[tuunit]

please do a rebase of your branch with the master and move this to the latest changes since section

[gysel]

done

[tuunit]

i personally would prefer the direct return

[gysel]

I had a direct return but then code climate complained about too many returns. (see 64dd780) Should I change it back?

[tuunit]

A yes you are right code climate is quite strict at the moment. Leave it as is for now!

[tuunit]

I was under the impression that the whole point of a refresh token was to refresh the ID Token, which provider are you using out of interest?

According to the OIDC specification the refresh tokens are used to refresh the access tokens.
https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken

Furthermore, as described in section 12.2 Successful Refresh Response the Token Response might not contain an id_token. My understanding is that their currently is not enforced specification in place on how to refresh the id_token. Some providers might provide new id_tokens but some might need to retrigger the authentication flow once more.

Therefore, the solution in this PR seems like kind of a workaround to me. Should the refresh empty the id_token in the current session if no new id_token has been provided? I think we might need to change the refresh flow instead of switching between the access or id token for validation.

[tuunit]

@gysel do you by any chance still have a record or know which error you got after the refresh during the token validation?

[gysel]

@gysel do you by any chance still have a record or know which error you got after the refresh during the token validation?

I added the error message here: #1640 (comment)

I just verified it again, we only use the access_token for this customer and hence do not care when the id_token is expired.

Therefore, the solution in this PR seems like kind of a workaround to me. Should the refresh empty the id_token in the current session if no new id_token has been provided? I think we might need to change the refresh flow instead of switching between the access or id token for validation.

Good question... I think I'd rather have an expired id_token in the backend than none - but I'm not certain what makes more sense. A solution would also be to print a warning in the log and remove the id_token from the session.
Maybe a validation of the id_token is the wrong approach when the standard does not guarantee that you always have a valid ID token.

[tuunit]

According to the OIDC specification the refresh tokens are used to refresh the access tokens.
https://openid.net/specs/openid-connect-core-1_0.html#RefreshingAccessToken

Furthermore, as described in section 12.2 Successful Refresh Response the Token Response might not contain an id_token. My understanding is that their currently is not enforced specification in place on how to refresh the id_token. Some providers might provide new id_tokens but some might need to retrigger the authentication flow once more.

Therefore, the solution in this PR seems like kind of a workaround to me. Should the refresh empty the id_token in the current session if no new id_token has been provided? I think we might need to change the refresh flow instead of switching between the access or id token for validation.

Error:

2022-06-27 09:00:37.070 CEST
xxx - 7ff73c70-1a39-40fb-afe4-1164b7a0b700 - xxx@xxx.com [2022/06/27 07:00:37] [AuthSuccess] Authenticated via OAuth2: Session{email:xxx@xxx.com user: PreferredUsername: token:true id_token:true created:2022-06-27 07:00:37.069415957 +0000 UTC m=+325920.006154842 expires:2022-06-27 08:00:36.026393118 +0000 UTC m=+329518.963131992 refresh_token:true}
2022-06-27 10:00:40.317 CEST
[2022/06/27 08:00:40] [stored_session.go:189] Refreshing session - User: ; SessionAge: 1h0m2.930584043s
2022-06-27 10:00:40.471 CEST
[2022/06/27 08:00:40] [oidc.go:87] id_token verification failed: failed to verify token: oidc: token is expired (Token Expiry: 2022-06-27 08:00:36 +0000 UTC)

So the issue occurs when the id_token expires because Ping ID doesn't refresh the id_token with the refresh endpoint. Therefore, the proper solution would be to invalidate / delete the current session to enforce the authentication flow once more. What are your thoughts on this @JoelSpeed @gysel @braunsonm ?

[gysel]

Therefore, the proper solution would be to invalidate / delete the current session to enforce the authentication flow once more.

In this particular case the access_token is a JWT and we don't use the id_token at all. I believe this is a valid scenario and the IdP just confirmed the session to be still valid. Why would we want to do a full authentication flow?

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[alexeytokar]

Bump

[github-actions]

This pull request has been inactive for 60 days. If the pull request is still relevant please comment to re-activate the pull request. If no action is taken within 7 days, the pull request will be marked closed.

[timmalich]

Still relevant for us too

[tuunit]

Reminder to myself to finally get this merged and done once for all.

@tuunit

[JoelSpeed]

Out of interest, do we have a link to the appropriate place in the OIDC spec that allows IDPs to not return a new ID Token? I believe it's there but would be useful to link to in a code comment I think

[JoelSpeed]

Do we need the log here? Or should we just return?

Suggested change

	if !validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken)) {
	logger.Errorf("access token is invalid")
	return false
	}
	return true
	return validateToken(ctx, p, s.AccessToken, makeOIDCHeader(s.AccessToken))

[Orange-Rabbit]

Out of interest, do we have a link to the appropriate place in the OIDC spec that allows IDPs to not return a new ID Token? I believe it's there but would be useful to link to in a code comment I think

@JoelSpeed
I found this part of the OIDC specification: https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse
I looked at the latest final version of OpenID Connect Core from openid.net

I would love to see this fixed, but I am not confident enough with GO unfortunately :/

[jholt96]

Is this still being worked? My company is being blocked by this issue and would love to see this merged. Happy to assist in any way

[tuunit]

Hi all,

really sorry this was open for years. To be honest I just lost track of it over and over again. As @JoelSpeed and me are only working on the project voluntarily and don't have any allotted time from our employers it is hard to keep things on track. With OAuth2 Proxy joining the CNCF, we try to get an initiative started to get the project more streamlined and more people on board to triage and review issues and PRs.

For now this PR is finally merged.

[gysel]

Hey @tuunit,

Many thanks for wrapping up this change.

I tested this now and found two issues:

1. s.Refreshed is always false and hence the new refresh handling is never used.
2. ValidateURL is, by default, not configured for OIDC providers. This makes the access token validation fail unless you configure a token validation change.

I opened #3267 with a proposed fix.