oauth2-proxy
[Feature]: Refresh Endpoint
Motivation
In SPAs we use a hidden iframe to keep the session cookie updated by calling /oauth2/start. This goes through the whole login flow, with redirects to and from the IdP (keycloak), where a new session is created. It works fine, but is heavy-handed. It would be simpler to hit a separate endpoint that just refreshes the session, as if the --cookie-refresh had passed, e.g. /oauth2/refresh.
Note we can't just rely on --cookie-refresh because keycloak does not support CORS on the auth endpoint, so re-login can't happen in xhrs.
I may be able to submit a PR for this if you're ok with the concept.
EDIT: One possible downside here is if at the time of refresh, there is only a short period of validity left on the access/refresh token. So e.g. the new cookie is valid for another hour, but the tokens are only valid for another five minutes. I believe the ideal implementation would be:
- If refresh token ttl > --cookie-refresh, refresh normally
- If refresh token ttl < --cookie-refresh, trigger the same behavior as /oauth2/start
- It would be nice for both /oauth2/refresh and /oauth2/start to accept a "final redirect uri" parameter, so we're not stuck with
/, which might not be appropriate to load in a refresh/re-login scenario
Possible solution
No response
Provider
None
