Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

access_type missing for OIDC/OAuth. Token expires after one hour.

See original GitHub issue

I’m using the oidc auth module to authenticate against Google. My actual problem is, that after an hour I have to re-authenticate against Google. I’ve read that Google has to be called with the access_type=offline to get a refresh_token. But I haven’t found any possibility to add this to the configuration. I also investigated on the request in the Chrome dev tools and this param is missing.

In addition I don’t use Redis. But I only run a single node k3s cluster with just one instance of Traefik v2 and external-auth-server. I guess in this case Redis is optional.

I use the following configuration, just to check whether all the other stuff is correct:

let config_token = {
  aud: "mydomain.io",
  eas: {
    plugins: [{
      type: "oidc",
      issuer: {
        discover_url: "https://accounts.google.com/.well-known/openid-configuration",
      },
      client: {
        client_id: "myid.apps.googleusercontent.com",
        client_secret: "mysecret"
      },
      scopes: ["openid", "email", "profile"], // must include openid
    redirect_uri: "https://auth.domain.io/oauth/callback",
    features: {
        cookie_expiry: true,
        userinfo_expiry: true,
        session_expiry: true,
        session_expiry_refresh_window: 60 * 30, // Google's access_token expires within 60min
        session_retain_id: true,
        refresh_access_token: true,
        fetch_userinfo: true,
        introspect_access_token: false, // Not supported by Google
        authorization_token: "access_token"
    },
    assertions: {
        exp: true,
        nbf: true,
        iss: true,
        userinfo: [ {
          query_engine: "jp",
          query: "$.email",
          rule: {
            method: "in",
            value: ["myemailr@gmail.com"],
            case_insensitive: false
          }
        } ]
    },
    cookie: {
        domain: "mydomain.io", 
    },
    headers: {},
}]
  }
};

Google’s access_token has a validity of 60 minutes.

Thank you. Best Danny

Issue Analytics

State:
Created 4 years ago
Comments:26 (15 by maintainers)

Top GitHub Comments

1reaction

dannyyycommented, Feb 3, 2020

Thank you, the request to google now inculdes the access_type=offline parameter. Is there a simple method to check whether eas can retrieve and use it? Because this part is hidden from the browser. According to google, eas has to retrieve the refresh_token from the token endpoint, together with the other tokens (id_token and access_token).

I will give you feedback from a front-end perspective whether I have to re-authenticate after an hour or not 😉

0reactions

travisghansencommented, Feb 28, 2020

This has landed in master/latest.