Cloudron OIDC /.well-known/openid-configuration shows refresh_token in grant_types_supported but offline_access scope does not cause a refresh_token to be returned from the token endpoint
-
When looking at
https://<CloudronDashboardHost>/.well-known/openid-configuration
I see that it includesrefresh_token
ingrant_types_supported
.If I go through the authorization flow with the scope of
openid offline_access
the response from the token endpoint does not include arefresh_token
.I did notice that in the documentation for oidc-provider it has an example of defining a ttl for RefreshToken but in the oidc.js code used in the box application it specifies the other ttl values but none for RefreshToken.
Steps to reproduce via PowerShell (this is the simplest method I have found for testing OIDC stuff but I get the same results with code implemented in javascript using fetch running in a chrome extension service worker):
- Install the PSAuthClient module
Install-Module -Name PSAuthClient
- Run the following to get an a response from the authorization endpoint to start the process
$OidcMetaData = Get-OidcDiscoveryMetadata -uri https://<CloudronDashboardHost>/.well-known/openid-configuration $ClientID = "<ValueOfCLOUDRON_OIDC_CLIENT_IDGoesHere>" $ClientSecret = "<ValueOfCLOUDRON_OIDC_CLIENT_SECRETGoesHere>" $Scope = "openid" $Scope = "openid offline_access" $AuthorizationEndpointResponse = Invoke-AuthorizationEndpoint -uri $OidcMetaData.authorization_endpoint -client_id $ClientID -redirect_uri "http://localhost" -response_type "code" -scope $Scope -Verbose $AuthorizationEndpointResponse
Example output:
Name Value ---- ----- code MwGkfTFphYMb7hp5t7_WCkgstwgWT1KZuLiOVSjBQIx redirect_uri http://localhost client_id <Redacted> nonce W2lFWf-nEkeOZ5u6anNovQvde016-U0N code_verifier tpZVJsWM_0SqdHnFfNl5vSGIf9B.gQhEBgQjBTrEGBt5kLaYhUDVv95ZOUvKDeb9O30eJ2L~liJMX3L3Gt70ackXLXceh03ht6r7T9T7p3DSv
- Now run the following to get an a response from the token endpoint that I believe should include a
refresh_token
but doesn't
$TokenEndpointResponse = Invoke-TokenEndpoint -uri $OidcMetaData.token_endpoint -client_id $ClientID -client_secret $ClientSecret -client_auth_method client_secret_post -Verbose -code $AuthorizationEndpointResponse.code -redirect_uri "http://localhost" -code_verifier $AuthorizationEndpointResponse.code_verifier $TokenEndpointResponse
Example:
access_token : <Redacted> expires_in : 3600 id_token : <Redacted> scope : openid token_type : Bearer expiry_datetime : 3/29/2024 1:12:54 PM
We can see that
refresh_token
is not included and also see that thescope
doesn't includeoffline_access
.If I run this again with
$Scope = "openid offline_access profile"
the token endpoint response includesscope : openid profile
and theid_token
jwt includes additional profile data so other scopes do seem to work but notoffline_access
.For this to work
http://localhost
needs to be in the cloudron manifest:{ ... "addons": { ... "oidc": { "loginRedirectUri":"...,http://localhost" } }, ... }
What is the right way to get a
refresh_token
via cloudron's oidc? -
Currently our OpenID provider does not issue any
refresh_token
s yet. All clients created without therefresh_token
grant type.For the moment it is only useful as an identity provider as such. But we will extend it further based on requirements. Will look into this for the coming releases.
-