Azure AD OIDC token refresh
Hello,
Azure AD OIDC initial auth working good. In about an hour (token expires) coder seems to try to refresh token and fails. Per docs, it's advised to check if rt_hash is provide however per Azure AD docs this claim is not available by default. Is it absolutely needed and has to be added to AD (extension) or there is another way to make refresh token process work with Azure AD? Thank you.
When refresh fails the following is display in the browser (error):
Could not refresh expired OpenId Connect token. Try re-auth...ing to resolve this issue.
oauth2: cannot unmarshal token: %!w(<nil>)
11 Replies
<#1417581997232226324>
Category
Help needed
Product
Coder (v2)
Platform
Linux
Logs
Please post any relevant logs/error messages.
As per https://coder.com/docs/admin/users/oidc-auth/refresh-tokens
You need to add
offline_access as an additional scope.With this set, the id_token JWT should contain the
rt_hash claim, confirming that a refresh token is issued.Hello, this is the doc I was referring to when said that it looks like rt_hash is expected, what is strange about this statement is that it's for Azure however Azure by default does not provide rt_hash claim. Why would coder rely on rt_hash instead of other mechanism supported by Azure?
the question was if there is a way to configure coder to do refrech token without changing the default behavior of Azure.
thank you for response
@Phorcys do you know?
Hello @Atif , The issue looks to be related to expires_in property coming as "string" from azure ad instead of expected integer.
This only impacts refresh if certificate type auth is used (if client secret is used then all is well)
https://github.com/coder/coder/blob/main/coderd/oauthpki/oidcpki.go#L226
additionally see this:
https://learn.microsoft.com/en-us/answers/questions/2337020/azure-ad-token-endpoint-returns-expires-in-as-stri
https://feedback.azure.com/d365community/idea/7772fd95-26e6-ec11-a81b-0022484ee92d
let me know you if would like me to raise an issue on github or propose PR to handle conversion from string to int if it's a string coming from AD.
Thank you
Azure AD /token endpoint returns expires_in as string which is caus...
Hi,
We are developing an OAuth-compliant MCP - Model Context Protocol - server and using MCP Inspector as our OAuth and MCP client for integration and testing with Microsoft Entra ID. However when exchanging the authorization code at the /token…
GitHub
coder/coderd/oauthpki/oidcpki.go at main · coder/coder
Secure environments for developers and their agents - coder/coder
Additionally, this error statement should print unmarshalError instead of err: https://github.com/coder/coder/blob/main/coderd/oauthpki/oidcpki.go#L250
GitHub
coder/coderd/oauthpki/oidcpki.go at main · coder/coder
Secure environments for developers and their agents - coder/coder
Can you please move this to GitHub issue? Or if you want to contribute a fix you are welcome too.
Also thanks for the investigation.
Sure, will do: either one or the other.
GitHub
fix(coderd): correct the name of the unmarshall error variable by y...
Incorrect error variable is used during reporting of the issue during unmarshall operations and this makes it hard to understand the underlying reason for OIDC failure: use unmarshalError instead o...
GitHub
fix(coderd): support string type for oidc response's expires_in jso...
Some versions of Azure AD return expires_in property as string. Use json.Number to accept either integer or string and then convert to int64.
Helpful links:
https://learn.microsoft.com/en-us/answer...