Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Feature Requests
  3. Cloudron OIDC /.well-known/openid-configuration shows refresh_token in grant_types_supported but offline_access scope does not cause a refresh_token to be returned from the token endpoint

Cloudron OIDC /.well-known/openid-configuration shows refresh_token in grant_types_supported but offline_access scope does not cause a refresh_token to be returned from the token endpoint

Scheduled Pinned Locked Moved Feature Requests
oidc
2 Posts 2 Posters 420 Views 2 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • ChristopherMagC Offline
    ChristopherMagC Offline
    ChristopherMag
    wrote on last edited by girish
    #1

    When looking at https://<CloudronDashboardHost>/.well-known/openid-configuration I see that it includes refresh_token in grant_types_supported.

    If I go through the authorization flow with the scope of openid offline_access the response from the token endpoint does not include a refresh_token.

    I did notice that in the documentation for oidc-provider it has an example of defining a ttl for RefreshToken but in the oidc.js code used in the box application it specifies the other ttl values but none for RefreshToken.

    Steps to reproduce via PowerShell (this is the simplest method I have found for testing OIDC stuff but I get the same results with code implemented in javascript using fetch running in a chrome extension service worker):

    • Install the PSAuthClient module
    Install-Module -Name PSAuthClient
    
    • Run the following to get an a response from the authorization endpoint to start the process
    $OidcMetaData = Get-OidcDiscoveryMetadata -uri https://<CloudronDashboardHost>/.well-known/openid-configuration
    $ClientID = "<ValueOfCLOUDRON_OIDC_CLIENT_IDGoesHere>"
    $ClientSecret = "<ValueOfCLOUDRON_OIDC_CLIENT_SECRETGoesHere>"
    $Scope = "openid"
    $Scope = "openid offline_access"
    
    $AuthorizationEndpointResponse = Invoke-AuthorizationEndpoint -uri $OidcMetaData.authorization_endpoint -client_id $ClientID -redirect_uri "http://localhost" -response_type "code" -scope $Scope -Verbose
    $AuthorizationEndpointResponse
    

    Example output:

    Name                           Value
    ----                           -----
    code                           MwGkfTFphYMb7hp5t7_WCkgstwgWT1KZuLiOVSjBQIx
    redirect_uri                   http://localhost
    client_id                      <Redacted>
    nonce                          W2lFWf-nEkeOZ5u6anNovQvde016-U0N
    code_verifier                  tpZVJsWM_0SqdHnFfNl5vSGIf9B.gQhEBgQjBTrEGBt5kLaYhUDVv95ZOUvKDeb9O30eJ2L~liJMX3L3Gt70ackXLXceh03ht6r7T9T7p3DSv
    
    • Now run the following to get an a response from the token endpoint that I believe should include a refresh_token but doesn't
    $TokenEndpointResponse = Invoke-TokenEndpoint -uri $OidcMetaData.token_endpoint -client_id $ClientID -client_secret $ClientSecret -client_auth_method client_secret_post -Verbose -code $AuthorizationEndpointResponse.code -redirect_uri "http://localhost" -code_verifier $AuthorizationEndpointResponse.code_verifier
    $TokenEndpointResponse
    

    Example:

    access_token    : <Redacted>
    expires_in      : 3600
    id_token        : <Redacted>
    scope           : openid
    token_type      : Bearer
    expiry_datetime : 3/29/2024 1:12:54 PM
    

    We can see that refresh_token is not included and also see that the scope doesn't include offline_access.

    If I run this again with $Scope = "openid offline_access profile" the token endpoint response includes scope : openid profile and the id_token jwt includes additional profile data so other scopes do seem to work but not offline_access.

    For this to work http://localhost needs to be in the cloudron manifest:

    {
      ...
      "addons": {
        ...
        "oidc": {
          "loginRedirectUri":"...,http://localhost"
        }
      },
      ...
    }
    

    What is the right way to get a refresh_token via cloudron's oidc?

    1 Reply Last reply
    0
    • nebulonN Offline
      nebulonN Offline
      nebulon
      Staff
      wrote on last edited by
      #2

      Currently our OpenID provider does not issue any refresh_tokens yet. All clients created without the refresh_token grant type.

      For the moment it is only useful as an identity provider as such. But we will extend it further based on requirements. Will look into this for the coming releases.

      1 Reply Last reply
      0
      • girishG girish moved this topic from Support on
      Reply
      • Reply as topic
      Log in to reply
      • Oldest to Newest
      • Newest to Oldest
      • Most Votes


      • Login

      • Don't have an account? Register

      • Login or register to search.
      • First post
        Last post
      0
      • Categories
      • Recent
      • Tags
      • Popular
      • Bookmarks
      • Search