OIDC token refresh fails with 401, if user info is used and not available in the cache (anymore) #31714
Description
Describe the bug
We are using Quarkus OIDC and for our clientId the following settings are configured with the Identity Provider:
OIDC Token Lifetime (Seconds): 300
Access Token Lifetime (Seconds): 300
Refresh Token Lifetime (Seconds): 600
(small numbers for testing only!)
We have configured Quarkus OIDC with following settings:
quarkus.oidc.enabled=true
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.user-info-required=true
quarkus.oidc.token.refresh-expired=true
quarkus.oidc.authentication.session-age-extension=PT300S
quarkus.oidc.token-cache.max-size=1000
After a users logs in, the q_session lifetime is set to the duration of the OIDC token plus the session-age-extension. In our case the session lifetime is exactly as long as the refresh token lifetime.
Expected behavior
When a user makes a request after the id token and access token expired, but before the refresh token and the session cookie expired, then the refresh token is used to retrieve a new pair of access token, id token and refresh token from the identity provider.
Actual behavior
When a user makes a request after the id token and access token expired, but before the refresh token and the session cookie expired, then an HTTP 401 exception is returned.
In the logs we can find the following DEBUG and ERROR statements:
2023-03-09 09:26:56,817 DEBUG [io.qua.oid.run.OidcIdentityProvider] (vert.x-eventloop-thread-3) Requesting UserInfo
2023-03-09 09:26:56,818 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Get UserInfo on: https://.../userinfo auth: Bearer xxx-XX-XXXXXXXX_XXXXX
2023-03-09 09:26:56,906 DEBUG [io.qua.oid.run.OidcProviderClient] (vert.x-eventloop-thread-3) Request has failed: status: 401, error message: {"error_description":"The access token provided is expired, revoked, malformed, or invalid for other reasons.","error":"invalid_token"}
2023-03-09 09:26:56,908 ERROR [io.qua.oid.run.CodeAuthenticationMechanism] (vert.x-eventloop-thread-3) ID token verification failure: io.quarkus.oidc.OIDCException: {"error_description":"The access token provided is expired, revoked, malformed, or invalid for other reasons.","error":"invalid_token"}
How to Reproduce?
Steps to reproduce
- Start the server in DEV mode
- Open the web application and login
- Restart the server (in order to make sure there are not tokens cached anymore). This mimics the situation in a cloud environment where you have many pods running and they might restart during the lifespan of a user session (which will be in our case over 10h in reality)
- Perform an activity in your open session in the web app
- You see an HTTP 401
Output of uname -a or ver
No response
Output of java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
2.16.3.Final
Build tool (ie. output of mvnw --version or gradlew --version)
Gradle 7.3.3
Additional information
No response