Cloudron OIDC /.well-known/openid-configuration shows refresh_token in grant_types_supported but offline_access scope does not cause a refresh_token to be returned from the token endpoint

ChristopherMag

When looking at https://<CloudronDashboardHost>/.well-known/openid-configuration I see that it includes refresh_token in grant_types_supported.

If I go through the authorization flow with the scope of openid offline_access the response from the token endpoint does not include a refresh_token.

I did notice that in the documentation for oidc-provider it has an example of defining a ttl for RefreshToken but in the oidc.js code used in the box application it specifies the other ttl values but none for RefreshToken.

Steps to reproduce via PowerShell (this is the simplest method I have found for testing OIDC stuff but I get the same results with code implemented in javascript using fetch running in a chrome extension service worker):

• Install the PSAuthClient module

Install-Module -Name PSAuthClient

• Run the following to get an a response from the authorization endpoint to start the process

$OidcMetaData = Get-OidcDiscoveryMetadata -uri https://<CloudronDashboardHost>/.well-known/openid-configuration
$ClientID = "<ValueOfCLOUDRON_OIDC_CLIENT_IDGoesHere>"
$ClientSecret = "<ValueOfCLOUDRON_OIDC_CLIENT_SECRETGoesHere>"
$Scope = "openid"
$Scope = "openid offline_access"

$AuthorizationEndpointResponse = Invoke-AuthorizationEndpoint -uri $OidcMetaData.authorization_endpoint -client_id $ClientID -redirect_uri "http://localhost" -response_type "code" -scope $Scope -Verbose
$AuthorizationEndpointResponse

Example output:

Name                           Value
----                           -----
code                           MwGkfTFphYMb7hp5t7_WCkgstwgWT1KZuLiOVSjBQIx
redirect_uri                   http://localhost
client_id                      <Redacted>
nonce                          W2lFWf-nEkeOZ5u6anNovQvde016-U0N
code_verifier                  tpZVJsWM_0SqdHnFfNl5vSGIf9B.gQhEBgQjBTrEGBt5kLaYhUDVv95ZOUvKDeb9O30eJ2L~liJMX3L3Gt70ackXLXceh03ht6r7T9T7p3DSv

• Now run the following to get an a response from the token endpoint that I believe should include a refresh_token but doesn't

$TokenEndpointResponse = Invoke-TokenEndpoint -uri $OidcMetaData.token_endpoint -client_id $ClientID -client_secret $ClientSecret -client_auth_method client_secret_post -Verbose -code $AuthorizationEndpointResponse.code -redirect_uri "http://localhost" -code_verifier $AuthorizationEndpointResponse.code_verifier
$TokenEndpointResponse

Example:

access_token    : <Redacted>
expires_in      : 3600
id_token        : <Redacted>
scope           : openid
token_type      : Bearer
expiry_datetime : 3/29/2024 1:12:54 PM

We can see that refresh_token is not included and also see that the scope doesn't include offline_access.

If I run this again with $Scope = "openid offline_access profile" the token endpoint response includes scope : openid profile and the id_token jwt includes additional profile data so other scopes do seem to work but not offline_access.

For this to work http://localhost needs to be in the cloudron manifest:

{
  ...
  "addons": {
    ...
    "oidc": {
      "loginRedirectUri":"...,http://localhost"
    }
  },
  ...
}

What is the right way to get a refresh_token via cloudron's oidc?

nebulon

Currently our OpenID provider does not issue any refresh_tokens yet. All clients created without the refresh_token grant type.

For the moment it is only useful as an identity provider as such. But we will extend it further based on requirements. Will look into this for the coming releases.