Google refresh token, consent prompt, and sessions #1153
Replies: 1 comment 5 replies
-
The annotated relevant directives from my current configuration (which does not solve the above problem). (Other settings for using Google as OP are removed,
The issue remains that whenever the mod_auth_openidc session ends, the refresh token is removed from mod_auth_openidc's cache, and another must be obtained if access token expiration length is not sufficient for a session. Access token expiration time for Google OAuth is typically 1 hour; I believe logging in every hour to be a poor user experience, so I don't consider that sufficient. However, obtaining a new refresh token appears to only be possible by having the user go through the "new user" flow including the consent screen. I can only assume that Google expects the refresh token to be stored indefinitely and reused for the same user during different sessions. The only idea I have for doing this without modifying mod_auth_openidc would be modifying my backend app to store the refresh token (in some form) within a user database and "re-inject" this into the mod_auth_openidc cache after a new session is created for the user. This sounds suboptimal, and I'll admit I haven't tried it yet. I'd love to hear any recommendations for other methods, or how any of you handle this issue. Thanks again, everyone! |
Beta Was this translation helpful? Give feedback.
-
First, @zandbelt, thanks so much for all your hard work on this. I've found the documentation easy to read and the configuration relatively straightforward.
Unfortunately, I've had some difficulty creating the user experience I'd like. I don't think it's unusual, but I haven't been able to get it right, and hope others here might have some tips (or at least pointers on where else to look). It boils down to a couple of issues:
Thus, every time a session ends, not only does the user need to re-authorize, they're also required to click through the consent prompt once more. This has not been my experience as a user, when I expect to receive the consent prompt the first time I use an app and then only if I explicitly revoke app access, whereas the "login" without the consent prompt may be considerably more often.
Can anyone share if they've figured out how to maintain a refresh token from Google over multiple sessions, or otherwise avoid frequently having users re-consent?
Thanks again, everyone!
Beta Was this translation helpful? Give feedback.
All reactions