-
Notifications
You must be signed in to change notification settings - Fork 283
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC tokens are not refreshed #2643
Comments
refresh_token is not supported @Adphi - the user is logged out once the token expires and you are expected to re-login. This is a feature that we have to implement. |
@harshavardhana thanks for the quick response. At which level should it be implemented ? minio-go or console ? |
In the console the logic must be implemented. |
@harshavardhana has there been any progress on supporting refreshing OIDC tokens in MinIO Console? Here are some good reference materials about using refresh tokens:
|
Hey @bexsoft @kaankabalak @harshavardhana @prakashsvmx is there any chance of getting refresh tokens working in MinIO? Without this feature, users are forced to make their OIDC provider issue tokens with very long expires, which is a big security risk. The general pattern would be that Minio Console will additionally request the The only user-facing API change would be the addition of a config like
Okta has a very comprehensive write-up of how refresh tokens work, and how the various flows work: |
There is no need for an environment variable for token rotation. The expiration is already written into the jwt token. From what I remember when I went through the code, the refresh token returned by the OP is not stored anywhere (e.g. session cookie). The implementation uses the TokenSource from "golang.org/x/oauth2" which already supports token refreshing. |
@Adphi while we may not need to allow specifying a refresh interval, there is a need to allow users to disable the refresh function of MinIO Console. This is important because not all OpenID providers support refresh tokens, so a variable like |
In terms of implementation, I think we might actually already be storing the refresh token in a cookie called I know refresh tokens are a bit confusing, so I will provide a basic example of how they work, for reference. The JWT (id token) issued by the OpenID provider will have an expiry and the refresh token (returned inside the JWT) has separate expiry characteristics from the overall ID token. For example, consider the case of the following expiry periods:
In this case, while the overall JWT will expire within 60 minutes, at long as we use the refresh token flow at least once every 7 days, the user will not need to be interrupted (we can use the refresh token flow to get a new JWT without prompting or redirecting the user). The "maximum chain lifetime" is the maximum possible time (if we keep extending the user's token at least once every "minimum use interval") before the OpenID provider will require a new login. To understand the "reuse interval", you have to understand that the refresh token is changed each time we use it to generate a new JWT, you can think of it as a grace period during which the same refresh token can be used and get the same refresh token (to handle parallel requests). |
@thesuperzapper it's quite simple: do not request the |
I am testing the console authentication using dex as the identity provider.
I have configured the openid provider in the console with the following claims:
openid,profile,groups,email,offline_access
so that the console receives a refresh token.But the token is never actually refreshed and the user is logged out when it expires.
The text was updated successfully, but these errors were encountered: