Failed Refresh Token leading to 500 error

[mmacaula]

Hello,

We've got a situation where Keycloak is our provider, and we're setup with openidc module to refresh before expiration. If we go into the Keycloak admin console and sign the user out and kill their session, then when the module tries to refresh, it fails with these (expected) errors:

[auth_openidc:warn] [pid 11:tid 140441185933056] [client <ipaddr>] oidc_refresh_access_token_before_expiry: access_token could not be refreshed
[auth_openidc:error] [pid 95:tid 140441202718464] [client <ipaddr>] oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""invalid_grant""

However, when our web client then tries to access any protected route, we're receiving 500 errors. Is this expected? Is there a way to treat a refresh failed event as requiring re-auth or sending back a 401?

My relevant config:

OIDCClientID ${OIDC_CLIENT_ID}
OIDCClientSecret ${OIDC_CLIENT_SECRET}
OIDCProviderMetadataURL ${OIDC_REALM_URI}/.well-known/openid-configuration
OIDCCacheType redis
OIDCRedisCacheServer ${REDIS_CONNECTION_STRING}
OIDCUserInfoRefreshInterval 240
OIDCRefreshAccessTokenBeforeExpiry 60
OIDCInfoHook access_token
OIDCRedirectURI ${OIDC_REDIRECT_URI}
OIDCCryptoPassphrase ${OIDC_CRYPTO_PASSPHRASE}
OIDCXForwardedHeaders X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host
OIDCSessionType server-cache:persistent
OIDCPKCEMethod S256
OIDCUnAutzAction 302 /unauth
OIDCStateTimeout 300

[zandbelt]

which version of mod_auth_openidc are you using?

[mmacaula]

oops, should have included that!
mod_auth_openidc-2.4.15-1.el8

[zandbelt]

that is expected behaviour indeed, which can be changed with:

  OIDCRefreshAccessTokenBeforeExpiry <seconds> [logout_on_error | authenticate_on_error]

See https://github.com/OpenIDC/mod_auth_openidc/blob/v2.4.15.1/auth_openidc.conf#L1056-L1064

[mmacaula]

Ahh, that worked perfectly! Thank you! And thank you for the rapid response and the awesome library!