Offline sessions do not work with delegated auth providers (saml, oidc...), choice and combination (#2083) · Issues · LemonLDAP NG / lemonldap-ng

Offline sessions do not work with delegated auth providers (saml, oidc...), choice and combination

Concerned version

Version: 2.0.7

Summary

The current implementation of offline sessions (see #813 (closed)) calls getUser to refresh user attributes when the refresh token is exchanged for a new access token.

This is necessary because these sessions can be very long lived, and we might want them to "see" when an attribute is updated.

When using a delegated provider (SAML, OIDC, facebook...), getUser/setSessionInfo will not work outside of a a complete authentication flow. Which causes an error:

Logs

[debug] OpenID Refresh Token: 27f0e30f46e54f4c37bc439c23d49566e529615a853b099f9e83f143402e949b
[debug] Processing getUser
[debug] Returned error: 9 (PE_FIRSTACCESS)
[error] Could not resolve user: df8a8d4d-e26d-4d5f-a323-ea35e17f26ce
[warn] [anonymous] invalid_grant

Possible fixes

I can see several fixes:

Ignore getUser errors when refreshing the token
Avoid refreshing the user info entirely: we might need an "isRefreshable" method in each auth provider that tells LLNG if we can call UserInfo on this provider outside of an auth context. This could also be useful for cases like "Refresh My Rights" and password reset.

### Concerned version

Version: 2.0.7

### Summary

The current implementation of offline sessions (see #813) calls getUser to refresh user attributes when the refresh token is exchanged for a new access token.

This is necessary because these sessions can be very long lived, and we might want them to "see" when an attribute is updated.

When using a delegated provider (SAML, OIDC, facebook...), getUser/setSessionInfo will not work outside of a a complete authentication flow. Which causes an error:

### Logs

```
[debug] OpenID Refresh Token: 27f0e30f46e54f4c37bc439c23d49566e529615a853b099f9e83f143402e949b
[debug] Processing getUser
[debug] Returned error: 9 (PE_FIRSTACCESS)
[error] Could not resolve user: df8a8d4d-e26d-4d5f-a323-ea35e17f26ce
[warn] [anonymous] invalid_grant
```

### Possible fixes

I can see several fixes:

* Ignore getUser errors when refreshing the token

* Avoid refreshing the user info entirely: we might need an "isRefreshable" method in each auth provider that tells LLNG if we can call UserInfo on this provider outside of an auth context. This could also be useful for cases like "Refresh My Rights" and password reset.

Edited Feb 28, 2020 by Maxime Besson

To upload designs, you'll need to enable LFS. More information