Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Token refresh can cause automatic authStyle detection to break #718

Open
codablock opened this issue Apr 5, 2024 · 0 comments
Open

Token refresh can cause automatic authStyle detection to break #718

codablock opened this issue Apr 5, 2024 · 0 comments

Comments

@codablock
Copy link

retrieveToken is called in two situations:

  1. When the initial token is exchanged (https://github.com/golang/oauth2/blob/master/oauth2.go#L234)
  2. When the token is refreshed (https://github.com/golang/oauth2/blob/master/oauth2.go#L275)

In both cases, internal.RetrieveToken is called, which then performs auto-detection of authType when not explicitly configured.

The problem now is, that some providers allow to perform token refresh without additional authentication. They're perfectly happy when the refresh token is valid and thus they successfully return a valid token even when the wrong authType is used. This leads to caching the wrong authStyle when a token refresh is performed BEFORE the first token exchange.

This can happen after the application is restarted while users still have valid refresh tokens (e.g. in the browser session). If the application then issues a token refresh before a new signin is performed, the errornous caching will cause ALL future token exchanges to fail as it will keep using the wrong authStyle.

I encountered this with Azure AD and the v2.0 issuer.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant