Skip to content

Commit

Permalink
oidc: handle refresh token
Browse files Browse the repository at this point in the history 
Fix #338
Signed-off-by: spacewander <[email protected]>
  • Loading branch information
@spacewander
spacewander committed Mar 6, 2024
1 parent c068121 commit 56b9195
Show file tree
Hide file tree
Showing 7 changed files with 383 additions and 79 deletions.
14 changes: 14 additions & 0 deletions plugins/oidc/config.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ package oidc

import (
"context"
"encoding/base64"
"net/http"
"time"

Expand Down Expand Up @@ -65,6 +66,8 @@ type config struct {
oauth2Config *oauth2.Config
verifier *oidc.IDTokenVerifier
cookieEncoding *securecookie.SecureCookie
refreshLeeway time.Duration
cookieEntryID string
}

func (conf *config) ctxWithClient(ctx context.Context) context.Context {
Expand All @@ -84,6 +87,13 @@ func (conf *config) Init(cb api.ConfigCallbackHandler) error {
}
conf.opTimeout = du

du = 10 * time.Second
leeway := conf.GetAccessTokenRefreshLeeway()
if leeway != nil {
du = leeway.AsDuration()

Check warning on line 93 in plugins/oidc/config.go

View check run for this annotation

Codecov / codecov/patch

plugins/oidc/config.go#L93 

Added line #L93 was not covered by tests
}
conf.refreshLeeway = du

ctx := conf.ctxWithClient(context.Background())
var provider *oidc.Provider
var err error
Expand All @@ -104,6 +114,9 @@ func (conf *config) Init(cb api.ConfigCallbackHandler) error {
return err
}

if !conf.DisableAccessTokenRefresh {
conf.Scopes = append(conf.Scopes, oidc.ScopeOfflineAccess)
}
conf.oauth2Config = &oauth2.Config{
ClientID: conf.ClientId,
ClientSecret: conf.ClientSecret,
Expand All @@ -116,5 +129,6 @@ func (conf *config) Init(cb api.ConfigCallbackHandler) error {
}
conf.verifier = provider.Verifier(&oidc.Config{ClientID: conf.ClientId})
conf.cookieEncoding = securecookie.New([]byte(conf.ClientSecret), nil)
conf.cookieEntryID = base64.RawURLEncoding.EncodeToString([]byte(conf.ClientId))
return nil
}
51 changes: 41 additions & 10 deletions plugins/oidc/config.pb.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

32 changes: 32 additions & 0 deletions plugins/oidc/config.pb.validate.go
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions plugins/oidc/config.proto
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,4 +42,12 @@ message Config {
google.protobuf.Duration timeout = 8 [(validate.rules).duration = {
gt: {},
}];

bool disable_access_token_refresh = 9;
// The duration to determines how earlier a token should be considered
// expired than its actual expiration time. It is used to avoid late
// expirations due to client-server time mismatches. Default to 10s.
google.protobuf.Duration access_token_refresh_leeway = 10 [(validate.rules).duration = {
gte: {},
}];
}
4 changes: 2 additions & 2 deletions plugins/oidc/config_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import (
func TestBadIssuer(t *testing.T) {
c := config{
Config: Config{
Issuer: "http://github.com",
Issuer: "http://1.1.1.1",
Timeout: &durationpb.Duration{Seconds: 1}, // quick fail
},
}
Expand All @@ -36,7 +36,7 @@ func TestBadIssuer(t *testing.T) {
func TestDefaultValue(t *testing.T) {
c := config{
Config: Config{
Issuer: "http://github.com",
Issuer: "http://1.1.1.1",
Timeout: &durationpb.Duration{Seconds: 1}, // quick fail
},
}
Expand Down
Loading

0 comments on commit 56b9195

Please sign in to comment.