Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC refreshToken BUG #1761

Open
1 task
Japson0 opened this issue Feb 14, 2025 · 0 comments
Open
1 task

OIDC refreshToken BUG #1761

Japson0 opened this issue Feb 14, 2025 · 0 comments

Comments

@Japson0
Copy link

Japson0 commented Feb 14, 2025

If you are reporting any crash or any potential security issue, do not
open an issue in this repo. Please report the issue via ASRC(Alibaba Security Response Center) where the issue will be triaged appropriately.

  • I have searched the issues of this repository and believe that this is not a duplicate.

Ⅰ. Issue Description

我在用OIDC插件登录后,我设置token时效性为10个小时,出现了以下下问题
1.token还没10个小时也就是还没过期,他就去refresh_token,这是其中一个疑惑,_oauth2_proxy的cookie过期时间是2025-02-14T08:46:37.171Z,换算成东八区应该是下午4点多。
2..后面我把refresh_token设置非常短,发现确实是refresh_token失效了

2025-02-14T10:32:59.422019Z	debug	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1384	wasm log higress-system.oidc-1.0.0: http call start, id: 571a71e2-ceaa-4128-8f80-c30d0fd0f35d, cluster: outbound|80||keycloak.keycloak.svc.cluster.local, method: POST, url: http://sso.eve.com:8084/realms/master/protocol/openid-connect/token, body: client_id=test&client_secret=lxxabzH5qroDMVI5G0enMiGtaPw8oWRg&grant_type=refresh_token&refresh_token=eyJhbGciOiJIUzUxMiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJjNjc4M2NjZS1hNjNhLTQ5MmUtOTk2ZS1hYTc0ZWIxYmY0N2EifQ.eyJleHAiOjE3Mzk0MzgyMDAsImlhdCI6MTczOTQzNjQwMCwianRpIjoiOGMzNzZmY2MtZDE4ZC00MDk5LWE1YWItNjMyMzI0MDg4MjI1IiwiaXNzIjoiaHR0cDovL3Nzby5ldmUuY29tOjgwODQvcmVhbG1zL21hc3RlciIsImF1ZCI6Imh0dHA6Ly9zc28uZXZlLmNvbTo4MDg0L3JlYWxtcy9tYXN0ZXIiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiZW1scCIsInNpZCI6IjViMTQ1ZWE3LTllNmEtNDI1Ny04NTlhLTMyYjZkMDRlNDdhOSIsInNjb3BlIjoib3BlbmlkIHByb2ZpbGUifQ.w95uts3McIyDIRlq0qGxspqj4mXSrKACRMatGXm_mMbNZpK-FFOXf-xgZvDZnLUO9VN5AK50Qs5r8oyWY_NCiQ, timeout: 0	thread=102
2025-02-14T10:32:59.431192Z	debug	envoy wasm external/envoy/source/extensions/common/wasm/context.cc:1384	wasm log higress-system.oidc-1.0.0: http call end, id: 571a71e2-ceaa-4128-8f80-c30d0fd0f35d, code: 400, normal: true, body: {"error":"invalid_grant","error_description":"Token is not active"}	thread=102

2.假设Token过期了,refresh_token也过期了,建议是重定向到登录页面,现在是直接报错了,所以我们只能手动清空cookie来使插件重定向

Image

这是我的OIDC配置

client_id: "test"
client_secret: "lxxabzH5qroDMVI5G0enMiGtaPw8oWRg"
cookie_secret: "nqavJrGvRmQxWwGNptLdyUVKcBNZ2b18Guc1n_8DCfY="
match_list:
- match_rule_domain: "test.com:8081"
  match_rule_path: "/"
  match_rule_type: "prefix"
match_type: "blacklist"
oidc_issuer_url: "http://sso.eve.com:8084/realms/master"
redirect_url: "http://test.com:8081/oauth2/callback"
scope: "openid profile"
service_name: "keycloak.keycloak.svc.cluster.local"
service_port: 80

Ⅱ. Describe what happened

我希望假设refresh_token也过期了,应该清除cookie吧然后自动重定向到对应的token

如何复现,可以缩短refresh_token有效性可以复现此类问题
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Japson0