From a22668eb8c7cd404a8ab930be2de54c75f5b97f2 Mon Sep 17 00:00:00 2001 From: Simon <32738398+shuesken@users.noreply.github.com> Date: Thu, 18 Jul 2024 22:11:40 +0200 Subject: [PATCH] docs: make clear that any access token expiry dates are ignored (#2644) * docs: make clear that any access token expiry dates are ignored * clarify why access-token expiration cannot be validated --------- Co-authored-by: Jan Larwig --- docs/docs/configuration/sessions.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/docs/docs/configuration/sessions.md b/docs/docs/configuration/sessions.md index fa8657af..e2037817 100644 --- a/docs/docs/configuration/sessions.md +++ b/docs/docs/configuration/sessions.md @@ -60,13 +60,15 @@ Two settings are used to configure the OAuth2 Proxy cookie lifetime: The "cookie-expire" value should be equal to the lifetime of the Refresh-Token that is issued by the OAuth2 authorization server. If it expires earlier and is deleted by the browser, OAuth2 Proxy cannot find the stored Refresh-Tokens in Redis and thus cannot start -the refresh flow to get new Access-Tokens. If it is longer, it might be that the old Refresh-Token will be found in Redis but has already +the refresh flow to get a new Access-Token. If it is longer, it might be that the old Refresh-Token will be found in Redis but has already expired. The "cookie-refresh" value controls when OAuth2 Proxy tries to refresh an Access-Token. If it is set to "0", the -Access-Token will never be refreshed, even it is already expired and there would be a valid Refresh-Token in the -available. If set, OAuth2 Proxy will refresh the Access-Token after this many seconds even if it is still valid. -Of course, it will also be refreshed after it has expired, as long as a Refresh Token is available. +Access-Token will never be refreshed, even if it is already expired and a valid Refresh-Token is available. If set, OAuth2-Proxy will +refresh the Access-Token after this many seconds whether it is still valid or not. According to the official OAuth2.0 specification +Access-Tokens are not required to follow a specific format. Therefore OAuth2-Proxy cannot check for any expiry date without an +introspection endpoint. If an Access-Token expires and you have not set a corresponding "cookie-refresh" value, you will likely +encounter expiry issues. Caveat: It can happen that the Access-Token is valid for e.g. "1m" and a request happens after exactly "59s". It would pass OAuth2 Proxy and be forwarded to the backend but is just expired when the backend tries to validate