Opaque access token not refreshed in authorization code flow (related to issue #32109)

[MickaelAlvarez]

Hello,

I have the issue described here: #32109

I'm in an authorization code flow. The access tokens are opaque, and when introspection is run on a valid token the response is:
{"active":true,"scope":"roles...","token_type":"Bearer","exp":1734022379,...}
When introspection is run on an expired access token, the response is:
{ "active": false }

As a result, no exp date is returned in that case, and the end user is asked to log in again. In my case, it's annoying because of the short TTL on access tokens.

In this issue the proposed solution is to store the exp date retrieved in a cookie, when the code is exchanged for the tokens, and then:

The challenge here is that unless it is integrity protected, we can't rely on this expiry date coming from the cookie.

Why can't we rely on a saved expiry date from the cookie?
Is there a known workaround to force access tokens to be refreshed in that case?

[sberyozkin]

@MickaelAlvarez Do you work with an OAuth2 provider ? I'm curious why the access token has to be introspected, thanks

[sberyozkin]

Never mind, you said it clearly it is the same issue as in the linked issue.

To support such a case, the way the session cookie content is structured has to be reworked, right now tokens are concatenated and encrypted, but it really should be a JSON container, which can accommodate extra properties such as the binary access token expiry time.

I think the workaround at the the moment may be to to try to cause a valid ID token refresh, with quarkus.oidc.token.refresh-token-time-skew - which should keep returning a refreshed access token too...

I'll try to prioritize on that issue now that we have several users asking about it...

[MickaelAlvarez]

Yes I work with an OpenAM OAuth2 provider, and I need to get roles from userInfo enpoint, then introspection is performed with this property quarkus.oidc.authentication.verify-access-token=true set.

Now I effectively set a quarkus.oidc.token.refresh-token-time-skew but the TTL is about 1 minute, so when no interraction is made in 1 minute we need to log in again, and it happens often 😅 . To adress this issue I put a "keep alive" API polled every 30 seconds in combination with the refresh token time skew to keep refreshing the access token. However I don't like this solution because it generate to much requests.

Thank you for the explanations!

[sberyozkin]

@MickaelAlvarez FYI, you should be able to remove quarkus.oidc.authentication.verify-access-token=true, it is expected to be enabled automatically if you have UserInfo injected

[sberyozkin]

@MickaelAlvarez FYI, #45337