OIDC authorization code flow - opaque refresh token - refresh_token_expires_in

[mbuchner]

Hi,

We have implemented the Authorization Code Flow with Quarkus. We were forced to as our customer doesn't support Authorization Code Flow in frontend SPA applications. (Netscaler)
https://quarkus.io/guides/security-oidc-code-flow-authentication

We got it running so far after several days of trial and error.

What doesn't work is the refresh. They are not sending a JWT refresh token but only a binary (opaque) refresh token.

(In DEV environment we use Keycloak - and everything is working fine ...)

Here an excerpt of our config:

# Don't send Http redirect 302 but instead send Http code 499
quarkus.oidc.authentication.java-script-auto-redirect=false

# CORS filter
quarkus.http.cors=true
%dev,test.quarkus.http.cors.origins=/.*/

# Override cookie domain (in dev mode it sometimes uses 127.0.0.1, but we want to force localhost)
%dev.quarkus.oidc.authentication.cookie-domain=localhost

quarkus.oidc.token-state-manager.split-tokens=true

quarkus.oidc.authentication.redirect-path=/api/callback
quarkus.oidc.authentication.restore-path-after-redirect=true

quarkus.oidc.token.refresh-expired=true

# give quarkus the right header (host / domain)
quarkus.http.proxy.proxy-address-forwarding=true
quarkus.http.proxy.allow-forwarded=true
quarkus.http.proxy.allow-x-forwarded=true
quarkus.http.proxy.enable-forwarded-host=true

quarkus.oidc.token-state-manager.strategy=id-refresh-tokens

They pretend to send the following information:

Could it be that quarkus doesnt use the "refresh_token_expires_in" but instead uses "refresh_expires_in".
At least thats the only string I could find in the quarkus sources:
https://github.com/quarkusio/quarkus/blob/main/extensions/oidc-common/runtime/src/main/java/io/quarkus/oidc/common/runtime/OidcConstants.java

Could anybody confirm my suspicion?
Can I overwrite this value somehow so that "refresh_token_expires_in" is used?

Or am I on the wrong track and something else is wrong in our setup ... I am open for any input as I am freaking out now after 2 days :-)

Thanks Max

PS: Is there a way to print the response header / body .. of quarkus OIDC requests ?

[sberyozkin]

Hi @mbuchner, thanks for this report,

We got it running so far after several days of trial and error.
and
Or am I on the wrong track and something else is wrong in our setup ... I am open for any input as I am freaking out now after 2 days :-)

You could've asked earlier, we are here to help :-)

Just a minor comment re your config first:

quarkus.oidc.token-state-manager.split-tokens=true

If it is related to the encrypted session cookie exceeding 4K limit - it should be managed automatically now by Quarkus OIDC in such cases, please try later

As far as the ID token refresh is concerned, quarkus-oidc is not concerned about the RT format, JWT or binary one, or its expiry date, all it does, when refreshing tokens is allowed, it sends them to the provider, and if the provider responds with 401, which will happen when the RT has expired, the user will be required to re-authenticate.

But you have to allow Quarkus to refresh - this is not done out of the box, because RT can last for a very long time, but the application may not want an unlimited session time for the authenticated users which may happen if the session is constantly refreshed. See https://quarkus.io/guides/security-oidc-code-flow-authentication#session-management, simply enable the refresh and if you'd like, which I recommend, add a refresh skew, which will proactively refresh all tokens once the ID token has nearly expired (ex, within the next 10 minutes).

Let me know how it goes

[mbuchner]

Hi Sergey,

Thanks for your quick reply!
I added now the following 2 settings:

quarkus.oidc.token.refresh-token-time-skew=2M
quarkus.oidc.authentication.session-age-extension=240M   --> as the "refresh_token_expires_in" is 5h

I think that the refresh call fails - here is an excerpt from my logs:

• in the first part you can see the "grant_type=authorization_code" which works
• then (after I waited for some time) multiple requests try in parallel to get a new refresh token "grant_type=refresh_token"
  • this is what I don't understand - how can that work ... in the SPA we of course call multiple REST services in parallel
  • but according to the Netscaler team a refresh token can only be used once - and should be replaced with the new one returned by the refresh call
  • is there some way to synchronize the calls in the backend when id token has expired?

2024-03-12 18:57:14,877 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-1) Resolved OIDC tenant id: Default
2024-03-12 18:57:14,877 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) Starting an authentication challenge
2024-03-12 18:57:14,878 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) Authentication request redirect_uri parameter: https://test.somedomain.at/api/callback
2024-03-12 18:57:14,880 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) q_auth_cc9beb52-d044-48b2-b489-1938d225350e cookie 'max-age' parameter is set to 1800
2024-03-12 18:57:14,881 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) Code flow redirect to: https://access-test.somedomain.at/oauth/idp/login?response_type=code&client_id=tproject-core&scope=openid+openid&redirect_uri=https%3A%2F%2Ftest.somedomain.at%2Fapi%2Fcallback&state=cc9beb52-d044-48b2-b489-1938d225350e
2024-03-12 18:57:15,922 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-0) Registered TenantResolver has not provided the configuration for tenant 'cc9beb52-d044-48b2-b489-1938d225350e', using the default tenant
2024-03-12 18:57:15,922 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-0) Resolved OIDC tenant id: Default
2024-03-12 18:57:15,924 DEBUG [io.qua.ver.htt.run.ForwardedParser] (vert.x-eventloop-thread-0) Recalculated absoluteURI to https://test.somedomain.at/api/callback?code=292e9800279fafaa&state=cc9beb52-d044-48b2-b489-1938d225350e
2024-03-12 18:57:15,924 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) State cookie is present, processing an expected redirect from the OIDC provider
2024-03-12 18:57:15,924 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Authorization code is present, completing the code flow
2024-03-12 18:57:15,925 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-0) Registered TenantResolver has not provided the configuration for tenant 'cc9beb52-d044-48b2-b489-1938d225350e', using the default tenant
2024-03-12 18:57:15,925 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Exchanging the authorization code for the tokens
2024-03-12 18:57:15,925 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Token request redirect_uri parameter: https://test.somedomain.at/api/callback
2024-03-12 18:57:15,926 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-0) Get token on: https://access-test.somedomain.at/oauth/idp/token params: grant_type=authorization_code
code=292e9800279fafaa
redirect_uri=https://test.somedomain.at/api/callback
 headers: user-agent=Vert.x-WebClient/4.5.4
content-type=application/x-www-form-urlencoded
accept=application/json
authorization=Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

2024-03-12 18:57:16,380 DEBUG [jdk.eve.security] (vert.x-eventloop-thread-0)  TLSHandshake: access-test.somedomain.at:443, TLSv1.3, TLS_AES_256_GCM_SHA384, -840615719
2024-03-12 18:57:16,485 DEBUG [io.net.han.ssl.SslHandler] (vert.x-eventloop-thread-0) [id: 0x12806de7, L:/10.2.6.252:33834 - R:access-test.somedomain.at/10.66.61.173:443] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_256_GCM_SHA384
2024-03-12 18:57:16,581 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-0) Request succeeded: {"access_token":"b0dd33fbd6fb9048","token_type":"Bearer","expires_in":3599,"refresh_token":"4af389c31674589e","refresh_token_expires_in":18000,"id_token":"xxxxxxx"}
2024-03-12 18:57:16,775 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Authorization code has been exchanged, verifying ID token
2024-03-12 18:57:16,776 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-0) Starting creating SecurityIdentity
2024-03-12 18:57:16,874 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-0) Registered TenantResolver has not provided the configuration for tenant 'cc9beb52-d044-48b2-b489-1938d225350e', using the default tenant
2024-03-12 18:57:16,876 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-0) Verifying the JWT token with the local JWK keys
2024-03-12 18:57:16,976 DEBUG [org.jos.jwa.AlgorithmFactoryFactory] (vert.x-eventloop-thread-0) Initializing jose4j (running with Java 17.0.10 from Red Hat, Inc. at /usr/lib/jvm/java-17-openjdk-17.0.10.0.7-2.el8.x86_64 with [SUN version 17, SunRsaSign version 17, SunEC version 17, SunJSSE version 17, SunJCE version 17, SunJGSS version 17, SunSASL version 17, XMLDSig version 17, SunPCSC version 17, JdkLDAP version 17, JdkSASL version 17, SunPKCS11 version 17] security providers installed)...
2024-03-12 18:57:16,977 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.UnsecuredNoneAlgorithm(none|null) registered for alg algorithm none
2024-03-12 18:57:16,978 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.HmacUsingShaAlgorithm$HmacSha256(HS256|HmacSHA256) registered for alg algorithm HS256
2024-03-12 18:57:16,978 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.HmacUsingShaAlgorithm$HmacSha384(HS384|HmacSHA384) registered for alg algorithm HS384
2024-03-12 18:57:16,978 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.HmacUsingShaAlgorithm$HmacSha512(HS512|HmacSHA512) registered for alg algorithm HS512
2024-03-12 18:57:16,979 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.EdDsaAlgorithm(EdDSA|EdDSA) registered for alg algorithm EdDSA
2024-03-12 18:57:16,979 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.EcdsaUsingShaAlgorithm$EcdsaP256UsingSha256(ES256|SHA256withECDSA) registered for alg algorithm ES256
2024-03-12 18:57:16,980 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.EcdsaUsingShaAlgorithm$EcdsaP384UsingSha384(ES384|SHA384withECDSA) registered for alg algorithm ES384
2024-03-12 18:57:16,980 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.EcdsaUsingShaAlgorithm$EcdsaP521UsingSha512(ES512|SHA512withECDSA) registered for alg algorithm ES512
2024-03-12 18:57:17,073 DEBUG [org.jos.jws.EcdsaUsingShaAlgorithm$EcdsaSECP256K1UsingSha256] (vert.x-eventloop-thread-0) ES256K is not available due to org.jose4j.lang.JoseException: Problem creating signature.; caused by: java.security.SignatureException: Curve not supported: java.security.spec.ECParameterSpec@7a8d55bd
2024-03-12 18:57:17,073 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) ES256K is unavailable so will not be registered for alg algorithms.
2024-03-12 18:57:17,073 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.RsaUsingShaAlgorithm$RsaSha256(RS256|SHA256withRSA) registered for alg algorithm RS256
2024-03-12 18:57:17,074 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.RsaUsingShaAlgorithm$RsaSha384(RS384|SHA384withRSA) registered for alg algorithm RS384
2024-03-12 18:57:17,074 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.RsaUsingShaAlgorithm$RsaSha512(RS512|SHA512withRSA) registered for alg algorithm RS512
2024-03-12 18:57:17,075 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.RsaUsingShaAlgorithm$RsaPssSha256(PS256|RSASSA-PSS) registered for alg algorithm PS256
2024-03-12 18:57:17,076 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.RsaUsingShaAlgorithm$RsaPssSha384(PS384|RSASSA-PSS) registered for alg algorithm PS384
2024-03-12 18:57:17,077 DEBUG [org.jos.jwa.AlgorithmFactory->JsonWebSignatureAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jws.RsaUsingShaAlgorithm$RsaPssSha512(PS512|RSASSA-PSS) registered for alg algorithm PS512
2024-03-12 18:57:17,077 DEBUG [org.jos.jwa.AlgorithmFactoryFactory] (vert.x-eventloop-thread-0) JWS signature algorithms: [none, HS256, HS384, HS512, EdDSA, ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384, PS512]
2024-03-12 18:57:17,078 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.RsaKeyManagementAlgorithm$Rsa1_5(RSA1_5|RSA/ECB/PKCS1Padding) registered for alg algorithm RSA1_5
2024-03-12 18:57:17,078 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.RsaKeyManagementAlgorithm$RsaOaep(RSA-OAEP|RSA/ECB/OAEPWithSHA-1AndMGF1Padding) registered for alg algorithm RSA-OAEP
2024-03-12 18:57:17,081 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.RsaKeyManagementAlgorithm$RsaOaep256(RSA-OAEP-256|RSA/ECB/OAEPWithSHA-256AndMGF1Padding) registered for alg algorithm RSA-OAEP-256
2024-03-12 18:57:17,081 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.DirectKeyManagementAlgorithm(dir|null) registered for alg algorithm dir
2024-03-12 18:57:17,174 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesKeyWrapManagementAlgorithm$Aes128(A128KW|AESWrap) registered for alg algorithm A128KW
2024-03-12 18:57:17,174 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesKeyWrapManagementAlgorithm$Aes192(A192KW|AESWrap) registered for alg algorithm A192KW
2024-03-12 18:57:17,174 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesKeyWrapManagementAlgorithm$Aes256(A256KW|AESWrap) registered for alg algorithm A256KW
2024-03-12 18:57:17,176 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.EcdhKeyAgreementAlgorithm(ECDH-ES|ECDH) registered for alg algorithm ECDH-ES
2024-03-12 18:57:17,177 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.EcdhKeyAgreementWithAesKeyWrapAlgorithm$EcdhKeyAgreementWithAes128KeyWrapAlgorithm(ECDH-ES+A128KW|N/A) registered for alg algorithm ECDH-ES+A128KW
2024-03-12 18:57:17,179 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.EcdhKeyAgreementWithAesKeyWrapAlgorithm$EcdhKeyAgreementWithAes192KeyWrapAlgorithm(ECDH-ES+A192KW|N/A) registered for alg algorithm ECDH-ES+A192KW
2024-03-12 18:57:17,180 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.EcdhKeyAgreementWithAesKeyWrapAlgorithm$EcdhKeyAgreementWithAes256KeyWrapAlgorithm(ECDH-ES+A256KW|N/A) registered for alg algorithm ECDH-ES+A256KW
2024-03-12 18:57:17,180 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.Pbes2HmacShaWithAesKeyWrapAlgorithm$HmacSha256Aes128(PBES2-HS256+A128KW|n/a) registered for alg algorithm PBES2-HS256+A128KW
2024-03-12 18:57:17,180 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.Pbes2HmacShaWithAesKeyWrapAlgorithm$HmacSha384Aes192(PBES2-HS384+A192KW|n/a) registered for alg algorithm PBES2-HS384+A192KW
2024-03-12 18:57:17,181 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.Pbes2HmacShaWithAesKeyWrapAlgorithm$HmacSha512Aes256(PBES2-HS512+A256KW|n/a) registered for alg algorithm PBES2-HS512+A256KW
2024-03-12 18:57:17,277 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesGcmKeyEncryptionAlgorithm$Aes128Gcm(A128GCMKW|AES/GCM/NoPadding) registered for alg algorithm A128GCMKW
2024-03-12 18:57:17,280 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesGcmKeyEncryptionAlgorithm$Aes192Gcm(A192GCMKW|AES/GCM/NoPadding) registered for alg algorithm A192GCMKW
2024-03-12 18:57:17,280 DEBUG [org.jos.jwa.AlgorithmFactory->KeyManagementAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesGcmKeyEncryptionAlgorithm$Aes256Gcm(A256GCMKW|AES/GCM/NoPadding) registered for alg algorithm A256GCMKW
2024-03-12 18:57:17,280 DEBUG [org.jos.jwa.AlgorithmFactoryFactory] (vert.x-eventloop-thread-0) JWE key management algorithms: [RSA1_5, RSA-OAEP, RSA-OAEP-256, dir, A128KW, A192KW, A256KW, ECDH-ES, ECDH-ES+A128KW, ECDH-ES+A192KW, ECDH-ES+A256KW, PBES2-HS256+A128KW, PBES2-HS384+A192KW, PBES2-HS512+A256KW, A128GCMKW, A192GCMKW, A256GCMKW]
2024-03-12 18:57:17,281 DEBUG [org.jos.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesCbcHmacSha2ContentEncryptionAlgorithm$Aes128CbcHmacSha256(A128CBC-HS256|AES/CBC/PKCS5Padding) registered for enc algorithm A128CBC-HS256
2024-03-12 18:57:17,281 DEBUG [org.jos.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesCbcHmacSha2ContentEncryptionAlgorithm$Aes192CbcHmacSha384(A192CBC-HS384|AES/CBC/PKCS5Padding) registered for enc algorithm A192CBC-HS384
2024-03-12 18:57:17,281 DEBUG [org.jos.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesCbcHmacSha2ContentEncryptionAlgorithm$Aes256CbcHmacSha512(A256CBC-HS512|AES/CBC/PKCS5Padding) registered for enc algorithm A256CBC-HS512
2024-03-12 18:57:17,282 DEBUG [org.jos.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesGcmContentEncryptionAlgorithm$Aes128Gcm(A128GCM|AES/GCM/NoPadding) registered for enc algorithm A128GCM
2024-03-12 18:57:17,282 DEBUG [org.jos.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesGcmContentEncryptionAlgorithm$Aes192Gcm(A192GCM|AES/GCM/NoPadding) registered for enc algorithm A192GCM
2024-03-12 18:57:17,283 DEBUG [org.jos.jwa.AlgorithmFactory->ContentEncryptionAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.jwe.AesGcmContentEncryptionAlgorithm$Aes256Gcm(A256GCM|AES/GCM/NoPadding) registered for enc algorithm A256GCM
2024-03-12 18:57:17,283 DEBUG [org.jos.jwa.AlgorithmFactoryFactory] (vert.x-eventloop-thread-0) JWE content encryption algorithms: [A128CBC-HS256, A192CBC-HS384, A256CBC-HS512, A128GCM, A192GCM, A256GCM]
2024-03-12 18:57:17,283 DEBUG [org.jos.jwa.AlgorithmFactory->CompressionAlgorithm] (vert.x-eventloop-thread-0) org.jose4j.zip.DeflateRFC1951CompressionAlgorithm@247a555b registered for zip algorithm DEF
2024-03-12 18:57:17,283 DEBUG [org.jos.jwa.AlgorithmFactoryFactory] (vert.x-eventloop-thread-0) JWE compression algorithms: [DEF]
2024-03-12 18:57:17,283 DEBUG [org.jos.jwa.AlgorithmFactoryFactory] (vert.x-eventloop-thread-0) Initialized jose4j in 307ms
2024-03-12 18:57:17,383 DEBUG [io.qua.oid.run.OidcUtils] (vert.x-eventloop-thread-0) No claim exists at the path 'groups' at the path segment 'groups'
2024-03-12 18:57:17,383 DEBUG [io.qua.oid.run.OidcUtils] (vert.x-eventloop-thread-0) No claim exists at the path 'realm_access/roles' at the path segment 'realm_access'
2024-03-12 18:57:17,383 DEBUG [io.qua.oid.run.OidcUtils] (vert.x-eventloop-thread-0) No claim exists at the path 'resource_access/tproject-core/roles' at the path segment 'resource_access'
2024-03-12 18:57:17,383 DEBUG [io.qua.oid.run.OidcUtils] (vert.x-eventloop-thread-0) No claim exists at the path 'scope' at the path segment 'scope'


2024-03-12 18:57:19,888 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) ID token has been verified, removing the existing session cookie if any and creating a new one
2024-03-12 18:57:19,976 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) ID token is valid for 300 seconds
2024-03-12 18:57:20,077 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) q_session_rt cookie 'max-age' parameter is set to 2100
2024-03-12 18:57:20,079 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Session cookie length for the tenant Default is 1749 bytes.
2024-03-12 18:57:20,079 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) q_session cookie 'max-age' parameter is set to 2100
2024-03-12 18:57:20,080 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Removing code flow redirect parameters, final redirect URI: https://test.somedomain.at/api/auth
2024-03-12 18:57:20,081 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Starting the final redirect

.......
.......


2024-03-12 19:00:33,346 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-1) Resolved OIDC tenant id: Default
2024-03-12 19:01:23,347 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-0) Resolved OIDC tenant id: Default
2024-03-12 19:02:13,346 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-1) Resolved OIDC tenant id: Default
2024-03-12 19:03:03,347 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-0) Resolved OIDC tenant id: Default
2024-03-12 19:03:53,348 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-1) Resolved OIDC tenant id: Default
2024-03-12 19:03:59,412 DEBUG [io.qua.ver.htt.run.ForwardedParser] (vert.x-eventloop-thread-0) Recalculated absoluteURI to https://test.somedomain.at/api/order/query
2024-03-12 19:03:59,413 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-0) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:03:59,414 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-0) Resolved OIDC tenant id: Default
2024-03-12 19:03:59,414 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Session cookie is present, starting the reauthentication
2024-03-12 19:03:59,414 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-0) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:03:59,416 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-0) Starting creating SecurityIdentity
2024-03-12 19:03:59,417 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-0) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:03:59,417 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-0) Verifying the JWT token with the local JWK keys
2024-03-12 19:03:59,479 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-1) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:03:59,479 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-1) Resolved OIDC tenant id: Default
2024-03-12 19:03:59,479 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) Session cookie is present, starting the reauthentication
2024-03-12 19:03:59,479 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-1) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:03:59,573 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-1) Starting creating SecurityIdentity
2024-03-12 19:03:59,574 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-1) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:03:59,574 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-1) Verifying the JWT token with the local JWK keys
2024-03-12 19:03:59,578 DEBUG [io.qua.oid.run.OidcProvider] (vert.x-eventloop-thread-0) Verification of the token issued to client tproject-core has failed: The JWT is no longer valid - the evaluation time NumericDate{1710270239 -> Mar 12, 2024, 7:03:59 PM UTC} is on or after the Expiration Time (exp=NumericDate{1710270135 -> Mar 12, 2024, 7:02:15 PM UTC}) claim value.
2024-03-12 19:03:59,578 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-0) Token verification has failed: JWT (claims->{"iss": "https://access-test.somedomain.at","aud": "tproject-core","sub": "sampleuserid","unique_name": "[email protected]","email": "[email protected]","mail": "sampleuserid", "cn": "sampleuserid", "sn": "Mustermann", "givenName": "Markus","iat": 1710269835,"nbf": 1710269535,"exp": 1710270135}) rejected due to invalid claims or other invalid content. Additional details: [[1] The JWT is no longer valid - the evaluation time NumericDate{1710270239 -> Mar 12, 2024, 7:03:59 PM UTC} is on or after the Expiration Time (exp=NumericDate{1710270135 -> Mar 12, 2024, 7:02:15 PM UTC}) claim value.]
2024-03-12 19:03:59,578 DEBUG [io.qua.oid.run.OidcProvider] (vert.x-eventloop-thread-1) Verification of the token issued to client tproject-core has failed: The JWT is no longer valid - the evaluation time NumericDate{1710270239 -> Mar 12, 2024, 7:03:59 PM UTC} is on or after the Expiration Time (exp=NumericDate{1710270135 -> Mar 12, 2024, 7:02:15 PM UTC}) claim value.
2024-03-12 19:03:59,578 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-1) Token verification has failed: JWT (claims->{"iss": "https://access-test.somedomain.at","aud": "tproject-core","sub": "sampleuserid","unique_name": "[email protected]","email": "[email protected]","mail": "sampleuserid", "cn": "sampleuserid", "sn": "Mustermann", "givenName": "Markus","iat": 1710269835,"nbf": 1710269535,"exp": 1710270135}) rejected due to invalid claims or other invalid content. Additional details: [[1] The JWT is no longer valid - the evaluation time NumericDate{1710270239 -> Mar 12, 2024, 7:03:59 PM UTC} is on or after the Expiration Time (exp=NumericDate{1710270135 -> Mar 12, 2024, 7:02:15 PM UTC}) claim value.]
2024-03-12 19:03:59,674 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Token has expired, trying to refresh it
2024-03-12 19:03:59,674 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) Token has expired, trying to refresh it
2024-03-12 19:03:59,674 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-1) Get token on: https://access-test.somedomain.at/oauth/idp/token params: grant_type=refresh_token
refresh_token=4af389c31674589e
 headers: user-agent=Vert.x-WebClient/4.5.4
content-type=application/x-www-form-urlencoded
accept=application/json
authorization=Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

2024-03-12 19:03:59,674 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-0) Get token on: https://access-test.somedomain.at/oauth/idp/token params: grant_type=refresh_token
refresh_token=4af389c31674589e
 headers: user-agent=Vert.x-WebClient/4.5.4
content-type=application/x-www-form-urlencoded
accept=application/json
authorization=Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

2024-03-12 19:03:59,674 INFO  [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-1) Token URI: https://access-test.somedomain.at/oauth/idp/token
2024-03-12 19:03:59,675 INFO  [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-1) Request URI: /oauth/idp/token
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-1) Request Headers:
2024-03-12 19:03:59,675 INFO  [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0) Token URI: https://access-test.somedomain.at/oauth/idp/token
2024-03-12 19:03:59,675 INFO  [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0) Request URI: /oauth/idp/token
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-1)     header: 'user-agent' = 'Vert.x-WebClient/4.5.4'
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0) Request Headers:
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-1)     header: 'content-type' = 'application/x-www-form-urlencoded'
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0)     header: 'user-agent' = 'Vert.x-WebClient/4.5.4'
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-1)     header: 'accept' = 'application/json'
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0)     header: 'content-type' = 'application/x-www-form-urlencoded'
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-1)     header: 'authorization' = 'Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0)     header: 'accept' = 'application/json'
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-1) Request Parameters:
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0)     header: 'authorization' = 'Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
2024-03-12 19:03:59,675 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0) Request Parameters:
2024-03-12 19:03:59,776 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-0) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:03:59,776 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-0) Resolved OIDC tenant id: Default
2024-03-12 19:03:59,776 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Session cookie is present, starting the reauthentication
2024-03-12 19:03:59,776 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-0) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:03:59,778 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-0) Starting creating SecurityIdentity
2024-03-12 19:03:59,873 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-0) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:03:59,873 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-0) Verifying the JWT token with the local JWK keys
2024-03-12 19:03:59,876 DEBUG [io.qua.oid.run.OidcProvider] (vert.x-eventloop-thread-0) Verification of the token issued to client tproject-core has failed: The JWT is no longer valid - the evaluation time NumericDate{1710270239 -> Mar 12, 2024, 7:03:59 PM UTC} is on or after the Expiration Time (exp=NumericDate{1710270135 -> Mar 12, 2024, 7:02:15 PM UTC}) claim value.
2024-03-12 19:03:59,876 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-0) Token verification has failed: JWT (claims->{"iss": "https://access-test.somedomain.at","aud": "tproject-core","sub": "sampleuserid","unique_name": "[email protected]","email": "[email protected]","mail": "sampleuserid", "cn": "sampleuserid", "sn": "Mustermann", "givenName": "Markus","iat": 1710269835,"nbf": 1710269535,"exp": 1710270135}) rejected due to invalid claims or other invalid content. Additional details: [[1] The JWT is no longer valid - the evaluation time NumericDate{1710270239 -> Mar 12, 2024, 7:03:59 PM UTC} is on or after the Expiration Time (exp=NumericDate{1710270135 -> Mar 12, 2024, 7:02:15 PM UTC}) claim value.]
2024-03-12 19:03:59,876 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-0) Token has expired, trying to refresh it
2024-03-12 19:03:59,877 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-0) Get token on: https://access-test.somedomain.at/oauth/idp/token params: grant_type=refresh_token
refresh_token=4af389c31674589e
 headers: user-agent=Vert.x-WebClient/4.5.4
content-type=application/x-www-form-urlencoded
accept=application/json
authorization=Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=

2024-03-12 19:03:59,877 INFO  [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0) Token URI: https://access-test.somedomain.at/oauth/idp/token
2024-03-12 19:03:59,877 INFO  [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0) Request URI: /oauth/idp/token
2024-03-12 19:03:59,877 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0) Request Headers:
2024-03-12 19:03:59,877 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0)     header: 'user-agent' = 'Vert.x-WebClient/4.5.4'
2024-03-12 19:03:59,877 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0)     header: 'content-type' = 'application/x-www-form-urlencoded'
2024-03-12 19:03:59,877 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0)     header: 'accept' = 'application/json'
2024-03-12 19:03:59,877 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0)     header: 'authorization' = 'Basic xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx='
2024-03-12 19:03:59,877 DEBUG [at.xxx.yyy.awp.res.fil.AppOidcRequestFilter] (vert.x-eventloop-thread-0) Request Parameters:
2024-03-12 19:04:00,073 DEBUG [jdk.eve.security] (vert.x-eventloop-thread-1)  TLSHandshake: access-test.somedomain.at:443, TLSv1.3, TLS_AES_256_GCM_SHA384, -840615719
2024-03-12 19:04:00,073 DEBUG [io.net.han.ssl.SslHandler] (vert.x-eventloop-thread-1) [id: 0x7f003a72, L:/10.2.6.252:60780 - R:access-test.somedomain.at/10.66.61.173:443] HANDSHAKEN: protocol:TLSv1.3 cipher suite:TLS_AES_256_GCM_SHA384
2024-03-12 19:04:00,077 ERROR [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-1) Request https://access-test.somedomain.at/oauth/idp/login has failed: status: 400, error message: {"error": "invalid_request"}
2024-03-12 19:04:00,077 DEBUG [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-1) ID token refresh has failed: {"error": "invalid_request"}
2024-03-12 19:04:00,079 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-1) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant
2024-03-12 19:04:00,079 DEBUG [io.qua.oid.run.OidcAuthenticationMechanism] (vert.x-eventloop-thread-1) Resolved OIDC tenant id: Default
2024-03-12 19:04:00,079 DEBUG [io.qua.oid.run.DefaultTenantConfigResolver] (vert.x-eventloop-thread-1) Registered TenantResolver has not provided the configuration for tenant 'rt', using the default tenant

I will also try to find out more if there are any logs on Netscaler side - which could tell me why we get this HTTP 400 "invalid_request"

Thanks in advance Max

[mbuchner]

And here the well-known info from the OIDC provider - if that helps:

{
  "issuer": "https://access-test.somedomain.at",
  "authorization_endpoint": "https://access-test.somedomain.at/oauth/idp/login",
  "token_endpoint": "https://access-test.somedomain.at/oauth/idp/token",
  "jwks_uri": "https://access-test.somedomain.at/oauth/idp/certs",
  "response_types_supported": [
    "code",
    "token",
    "id_token"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "end_session_endpoint": "https://access-test.somedomain.at/oauth/idp/logout",
  "frontchannel_logout_supported": true,
  "scopes_supported": [
    "openid",
    "ctxs_cc"
  ],
  "claims_supported": [
    "sub",
    "iss",
    "aud",
    "exp",
    "iat",
    "auth_time",
    "acr",
    "amr",
    "email",
    "given_name",
    "family_name",
    "nickname"
  ],
  "userinfo_endpoint": "https://access-test.somedomain.at/oauth/idp/userinfo",
  "subject_types_supported": [
    "public"
  ]
}

[mbuchner]

It is also strange that the refresh token call calls:

Get token on: https://access-test.somedomain.at/oauth/idp/token params: grant_type=refresh_token

But the error states:

2024-03-12 19:04:00,077 ERROR [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-1) Request https://access-test.somedomain.at/oauth/idp/login has failed: status: 400, error message: {"error": "invalid_request"}

so
https://access-test.somedomain.at/oauth/idp/token
vs.
https://access-test.somedomain.at/oauth/idp/login

Is the refresh_token flow supported at all based on the well-known info I posted above ...

[sberyozkin]

@mbuchner Hi,

but according to the Netscaler team a refresh token can only be used once - and should be replaced with the new one returned by the refresh call.

This is a good practice, refresh tokens are recycled.

So, if you have parallel SPA requests coming in on behalf of the same authenticated user, there is a race condition, by the time one of Quarkus requests managing the refresh for the corresponding SPA request reaches the provider, this token has been recycled. Quarkus can't control that. I think the SPA should simply coordinate it on its end somehow, I don't know, may be if you initiate N requests, there is some latch waiting for the completion of all of them and then deciding how to react, initiate a reauthentication or just proceed as normal if one of these requests returned 200, something like that.

[sberyozkin]

Please also confirm a single request only works and the RT grant works, and then look at how to handle N of them in parallel

[mbuchner]

Okay further investigation has been done - but still not really happy. I just got a hack working ...

We figured out that the "grant_type=refresh_token" request doesnt return an ID token. Only an access and refresh token.

We got the log "ID token is not returned in the refresh token grant response, re-authentication is required"
Then a full page reload takes place -> "grant_type=authorization_code"

We followed then the chapter in the quarkus documentation (https://quarkus.io/guides/security-oidc-code-flow-authentication#oauth2) - as there is something mentioned about "no ID token in refresh response" - but nothing worked ... quarkus always wanted to refresh after 5 min (end of ID token lifetime)

There would actually be a grant_type "id_token" (see above well-known file) which is supported - which could be called if there is no ID token in the "refresh token grant response" - so there would be a possibility to get the ID token but I dont see any implementation in the quarkus source code arround "id_token"grant_type.
Couldnt that be a solution to our problem? So if the "refresh token grant response" doesnt have an id token get it via "id_token grant_type"?

Finally here is our current hack to avoid quarkus to do a "refresh_token" call.

quarkus.oidc.token.refresh-expired=false
quarkus.oidc.token.lifespan-grace=18000   -> this is also the refresh token lifespan
quarkus.oidc.authentication.internal-id-token-lifespan=5H

## only used when also 'quarkus.oidc.token.refresh-expired' is set to true (quarkus source code research) -> so we (ab)use "quarkus.oidc.token.lifespan-grace"
#quarkus.oidc.authentication.session-age-extension=240

I also have to say that we dont use the UserInfo endpoint - we dont need any data from it.
This produces a session cookie which is valid for the next 5 hours (18000 sec).
It doesnt matter how active the user is - the session will end after those 5 hours and a complete page refresh will be required.

Hoping to find a better solution - waiting for your thoughts ...

Thanks Max

[sberyozkin]

@mbuchner

So if I understand it correctly, your provider returns ID token in the authorization code flow response, but, when the ID has expired, and the tokens are refreshed, it does not return an ID token ?

But if the ID token has become invalid (i.e, expired in this case), and no new ID token is returned, there is no choice but request it via an authorization code flow.

There would actually be a grant_type "id_token" (see above well-known file) which is supported
So if the "refresh token grant response" doesnt have an id token get it via "id_token grant_type"?

It is not a grant type, but a response type, this is part of the different flows, SPA would use the id_token response type to get the id token returned to it

quarkus.oidc.authentication.internal-id-token-lifespan=5H

Do you mean your provider does not return an ID token at all, and you also have quarkus.oidc.authentication.id-token-required=false ? This property is only relevant if the ID token is generated internally and it must be regenerated during the subsequent refresh requests

[mbuchner]

So if I understand it correctly, your provider returns ID token in the authorization code flow response, but, when the ID has expired, and the tokens are refreshed, it does not return an ID token ?

Yes thats correct! "grant_type=authorization_code" returns ID Token but "grant_type=refresh_token" doesnt return an ID token.

But if the ID token has become invalid (i.e, expired in this case), and no new ID token is returned, there is no choice but request it via an authorization code flow.

Thats exactly the issue - an "authorization code flow" needs a complete refresh of the page - so all form inputs a user has probably made are lost - and the SPA needs to be completly reloaded. :-(

[sberyozkin]

@mbuchner

The session validity is tied to the ID token validity. Quarkus can't use it to assert the session's validity if the ID token is invalid because it has expired.

So if your provider does not give a new ID token but you'd like to have a long Quarkus session, then I think you should configure ID token's lifespan, in the provider's dashboard, be equal to the maximum amount of time you'd like the session be active. This is an administrator's decision that you should consider taking.

Quarkus OIDC can't make this security sensitive decision itself and use an invalid ID token to extend the session indefinitely and then being challenged with CVEs. The only documented purpose of its session-age-extension property is to make sure the browser does not drop the session cookie (which keeps the encrypted ID token) in case of the low activity, for Quarkus be able to get to this session cookie and analyze the ID token, but your provider chooses not to return a new ID token.

Also, no matter what is configured to keep the session uninterrupted, the SPA must expect that the re-authentication will be required now or later, and manage a possible user's input accordingly.

Does it clarify it ? Thanks

[mbuchner]

Sorry if I'm annoying but I still don't understand why only the ID token validity is important.

When I call the "grant_type=authorization_code" the first time we get the following info which also includes the refresh token lifetime.

{
"access_token":"aaaaaaaaaaa",
"token_type":"Bearer",
"expires_in":3599,
"refresh_token":"rrrrrrrrrrrrrrrrr",
"refresh_token_expires_in":18000,
"id_token":"iiiiiiiiiiiiiiiiiiiiiii"
}

When I then constantly refresh the access token with the refresh token -> as explained here:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-refresh-tokens
and just keep the ID token from the first "authorization code response".

So a full "Authorization Code flow" is only needed when the refresh token expires according to this statement:

When the refresh token expires, there is no way to recover without running an entirely new Authorization Code flow.

This combination is also mentioned here as a valid approach:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-browser-based-apps#name-combining-oauth-and-openid-

In the Quarkus implementation it immediately "stops" when the refresh doesn’t return an ID token.

[sberyozkin]

@mbuchner

Sorry if I'm annoying but I still don't understand why only the ID token validity is important.

You are welcome to keep asking/discussing for as long as you like, np at all.

In the Quarkus implementation it immediately "stops" when the refresh doesn’t return an ID token.

But if the refresh token grant is activated it means the ID token has expired. The refresh token can last for months, but the user may have to be re-authenticated every 4 hours, which is what ID token can help with. RT's goal is to refresh tokens only, and not be used as a very long session activator. If your provider does not want to return new ID tokens then may be this is what it wants, a user re-authentication once the ID token has expired.

You set the skew which means ID token is still valid for the next 2 mins or so, so the session should remain active for the remaining 2 mins if the RT grant response does not give a new ID token (as indeed is allowed, https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse). If that does not work for a single request only then please open a bug (but you said earlier you have parallel requests for the same authenticated user, so given a single time use of the refresh token with your provider, may be this is why you see some errors)

So please set ID token's lifespan to last for 18000, if it is what you require, given that your provider does not give a new ID token after the refresh, Quarkus can not make the decisions like that itself.

[sberyozkin]

@mbuchner FYI, #39556. It will take awhile to fix though, for now, control the ID token lifespan directly