GitLab

Concerned version

Version: %2.0.4 to %2.0.11

Summary

• Configure an OIDC client
• Configure a OAuth2 handler
• Set access token lifetime to 10 seconds
• Use Access Token from OIDC client to access the OAuth2 handler => works
• Wait 30 seconds
• Use Access Token from OIDC client to access the OAuth2 handler => WORKS
• /userinfo or /introspection correctly show that the token is expired

Logs

[debug] Found OAuth2 access token 597d0faa693e96f08823e73164c87366b586104f575dcc648cf7b90a88b8988e
[debug] Get OIDC session 597d0faa693e96f08823e73164c87366b586104f575dcc648cf7b90a88b8988e
# missing validation here
[debug] Get user session id 59941a30e71df1c86fb05e14eec697264ca38311b18c082731230af6f23f8787