@@ -85,28 +85,30 @@ function oidcCodeExchange(r) {
8585}
8686
8787function oidcRefreshRequest ( r ) {
88- // Pass the refresh token code to the /_refresh location so that it can be
88+ // Pass the refresh token to the /_refresh location so that it can be
8989 // proxied to the IdP in exchange for a new id_token
9090 r . subrequest ( "/_refresh" , "token=" + r . variables . refresh_token ,
9191 function ( reply ) {
92- if ( reply . status == 504 ) {
93- r . error ( "OIDC timeout connecting to IdP when sending refresh request" ) ;
94- r . return ( 504 ) ;
95- return ;
96- }
97-
9892 if ( reply . status != 200 ) {
99- try {
100- var errorset = JSON . parse ( reply . responseBody ) ;
101- if ( errorset . error ) {
102- r . error ( "OIDC error from IdP when sending refresh request: " + errorset . error + ", " + errorset . error_description ) ;
103- } else {
104- r . error ( "OIDC unexpected response from IdP when sending refresh request (HTTP " + reply . status + "). " + reply . responseBody ) ;
93+ // Refresh request failed, log the reason
94+ var error_log = "OIDC refresh failure" ;
95+ if ( reply . status == 504 ) {
96+ error_log += ", timeout waiting for IdP" ;
97+ } else if ( reply . status = 400 ) {
98+ try {
99+ var errorset = JSON . parse ( reply . responseBody ) ;
100+ error_log += ": " + errorset . error + " " + errorset . error_description ;
101+ } catch ( e ) {
102+ error_log += ": " + reply . responseBody ;
105103 }
106- } catch ( e ) {
107- r . error ( "OIDC unexpected response from IdP when sending refresh request (HTTP " + reply . status + "). "+ reply . responseBody ) ;
104+ } else {
105+ error_log += " " + reply . status ;
108106 }
109- r . return ( 502 ) ;
107+ r . error ( error_log ) ;
108+
109+ // Clear the refresh token, try again
110+ r . variables . refresh_token = "-" ;
111+ r . return ( 302 , r . variables . request_uri ) ;
110112 return ;
111113 }
112114
@@ -118,20 +120,22 @@ function oidcRefreshRequest(r) {
118120 if ( tokenset . error ) {
119121 r . error ( "OIDC " + tokenset . error + " " + tokenset . error_description ) ;
120122 }
121- r . return ( 500 ) ;
123+ r . variables . refresh_token = "-" ;
124+ r . return ( 302 , r . variables . request_uri ) ;
122125 return ;
123126 }
124127
125128 // Send the new ID Token to auth_jwt location for validation
126129 r . subrequest ( "/_id_token_validation" , "token=" + tokenset . id_token ,
127130 function ( reply ) {
128131 if ( reply . status != 204 ) {
129- r . return ( 500 ) ; // validateIdToken() will log errors
132+ r . variables . refresh_token = "-" ;
133+ r . return ( 302 , r . variables . request_uri ) ;
130134 return ;
131135 }
132136
133137 // ID Token is valid, update keyval
134- r . log ( "OIDC updating id_token" ) ;
138+ r . log ( "OIDC refresh success, updating id_token" ) ;
135139 r . variables . session_jwt = tokenset . id_token ; // Update key-value store
136140
137141 // Update refresh token (if we got a new one)
@@ -140,13 +144,13 @@ function oidcRefreshRequest(r) {
140144 r . variables . refresh_token = tokenset . refresh_token ; // Update key-value store
141145 }
142146
143- r . log ( "OIDC refresh success" ) ;
144147 r . internalRedirect ( r . variables . request_uri ) ; // Continue processing original request
145148 }
146149 ) ;
147150 } catch ( e ) {
148- r . error ( "OIDC refresh response is not JSON. " + reply . responseBody ) ;
149- r . return ( 502 ) ;
151+ r . variables . refresh_token = "-" ;
152+ r . return ( 302 , r . variables . request_uri ) ;
153+ return ;
150154 }
151155 }
152156 ) ;
0 commit comments