Issue with refresh token with version 2.4.15.7

[manish-sonal-db]

Hi OpenIDC team + community,

We recently upgraded our last Sunday to mod_auth_openidc version to 2.4.15.7 which causes now some troubles in a clustered environment (with 4 nodes).

Apache version: apache-2.4.58
mod_auth_openidc: 2.4.15.7
backend application : spring boot 5.3.29

Issue:
The issue is, Initially the user successfully logins into the spring application after authenticating via IDP (apache/mod_auth_openidc) and be able to access the different pages of this application.
After sometime, The users are getting kicked out from the current sessions with 500 internal server error. Even with the page refresh, it doesn't allow them to login back and unable to access app.
After 5 mins, when the user refreshes the same page on the same tab, it get redirect to authentication for fresh authentication.

Debug Log:

We have found the following error logs from server side:

2024-09-17 17:03:17.942139 auth_openidc:debug <CLIENT_IP>:0 ZumoRWewIYslUkQHy-6ItQAAEzY oidc_http_call: set HTTP request header User-Agent to: [:1362:1299700] mod_auth_openidc-2.4.15.7 libcurl-7.77.0 OpenSSL 1.1.1q 5 Jul 2022
2024-09-17 17:03:18.014723 auth_openidc:debug <CLIENT_IP>:0 ZumoRWewIYslUkQHy-6ItQAAEzY oidc_http_call: HTTP response code=400
2024-09-17 17:03:18.014764 auth_openidc:debug <CLIENT_IP>:0 ZumoRWewIYslUkQHy-6ItQAAEzY oidc_http_call: response={"error_description":"grant is invalid","error":"invalid_grant"}
2024-09-17 17:03:18.015019 auth_openidc:error <CLIENT_IP>:0 ZumoRWewIYslUkQHy-6ItQAAEzY oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error" entry with value: ""invalid_grant""
2024-09-17 17:03:18.015057 auth_openidc:error <CLIENT_IP>:0 ZumoRWewIYslUkQHy-6ItQAAEzY oidc_util_json_string_print: oidc_util_check_json_error: response contained an "error_description" entry with value: ""grant is invalid""
2024-09-17 17:03:18.015082 auth_openidc:error <CLIENT_IP>:0 ZumoRWewIYslUkQHy-6ItQAAEzY oidc_refresh_token_grant: access_token could not be refreshed with refresh_token: <REFERSH_TOKEN>

Could you please review and suggest a solution for this issue.

[zandbelt]

please read https://github.com/OpenIDC/mod_auth_openidc/wiki/Known-Limitations

[manish-sonal-db]

Thanks for quick response. just checking are you trying to suggest -
Incase we dont need parallel access tokens refresh - we should use OIDC_PARALLEL_REFRESH_NOT_ALLOWED
Incase we need parallel access tokens refresh - we should use OIDCSessionType server-cookie param right?
is this ok?

[zandbelt]

the vast majority of use cases don't actually need OIDCRefreshAccessTokenBeforeExpiry or OIDCUserInfoRefreshInterval at all, better start analyzing that requirement first... see here; then if you really do need it, better use it with sticky sessions, or (last resort) a server side cache mechanism; OIDC_PARALLEL_REFRESH_NOT_ALLOWED is no longer relevant/supported