You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Every time access token lifetime ends (5 minutes), user it's prompted again to authenticate because refresh token workflow fails.
What did you expect to happen?
Refresh token workflow works fine and users don't be prompted every 5 minutes to login again.
What is the simplest way to reproduce this behavior?
With Postman we can reproduce the issue, get an access token with scp: openid and with refresh_token workflow new access token doesn't include scp: openid, so when do post to adfs/userinfo endpoint with this new access token, get error 403.
Since we update from TKG 2.2 (Pinniped v0.12.1) to TKG 2.3 (Pinniped 0.24), we have an issue with refresh token workflow.
We detect on our external OIDC, that when access token it's refreshed, the new access token does not include claim scp=openid (scope), like this new access token does not have this claim, when pinniped try to communicate with adfs/userinfo endpoint we get an error 403, because to call this endpoint it's required to include openid scope.
When refresh token pinniped workflow start, we receive an error on our External OIDC Logs.
We can simulate this scenario with postman, and confirm that at the first login, first access token have scp:openid, but when it's refresed with refresh token, new access token does not have scp:openid.
If there are some possibility to add a refresh token workflow of pinniped include that key, it will works fine.
The text was updated successfully, but these errors were encountered:
What happened?
What did you expect to happen?
What is the simplest way to reproduce this behavior?
In what environment did you see this bug?
What else is there to know about this bug?
Since we update from TKG 2.2 (Pinniped v0.12.1) to TKG 2.3 (Pinniped 0.24), we have an issue with refresh token workflow.
We detect on our external OIDC, that when access token it's refreshed, the new access token does not include claim scp=openid (scope), like this new access token does not have this claim, when pinniped try to communicate with adfs/userinfo endpoint we get an error 403, because to call this endpoint it's required to include openid scope.
When refresh token pinniped workflow start, we receive an error on our External OIDC Logs.
We can simulate this scenario with postman, and confirm that at the first login, first access token have scp:openid, but when it's refresed with refresh token, new access token does not have scp:openid.
If there are some possibility to add a refresh token workflow of pinniped include that key, it will works fine.
The text was updated successfully, but these errors were encountered: