Offline sessions do not work with delegated auth providers (saml, oidc...), choice and combination
Concerned version
Version: 2.0.7
Summary
The current implementation of offline sessions (see #813 (closed)) calls getUser to refresh user attributes when the refresh token is exchanged for a new access token.
This is necessary because these sessions can be very long lived, and we might want them to "see" when an attribute is updated.
When using a delegated provider (SAML, OIDC, facebook...), getUser/setSessionInfo will not work outside of a a complete authentication flow. Which causes an error:
Logs
[debug] OpenID Refresh Token: 27f0e30f46e54f4c37bc439c23d49566e529615a853b099f9e83f143402e949b
[debug] Processing getUser
[debug] Returned error: 9 (PE_FIRSTACCESS)
[error] Could not resolve user: df8a8d4d-e26d-4d5f-a323-ea35e17f26ce
[warn] [anonymous] invalid_grant
Possible fixes
I can see several fixes:
-
Ignore getUser errors when refreshing the token
-
Avoid refreshing the user info entirely: we might need an "isRefreshable" method in each auth provider that tells LLNG if we can call UserInfo on this provider outside of an auth context. This could also be useful for cases like "Refresh My Rights" and password reset.