Can OIDC client handle revoked tokens?

[IvanPuntev]

Hi @sberyozkin. Can you tell me if the oidc client can handle revoked jwt tokens? For example if the client already got token but the backend decides to revoke it soon after and I try to call this backend with the old token will the library handle this situation and get new token?

[quarkus-bot[bot]]

/cc @pedroigor (oidc), @sberyozkin (oidc)

[sberyozkin]

Hi @IvanPuntev,

In this case we have 401 from the target, and given that OIDC request client filter itself does not see this 401, I suggested, here 2 options:

• Have a custom response filter coordinating with the custom OidcClientRequest filter extension, it can really work though for a single OIDC client setup case, as the response filter will have no idea which OIDC client token caused the current 401. If it is a single client only, then the response filter can set a new token required flag for the request filter to react upon it during the retry
• Or, use OidcClient directly as linked in that comment.

I don't see how else OidcClient can know that what is a valid token from its own perspective, has already been revoked.
Does it help ?

[sberyozkin]

@IvanPuntev

But what stops the client response filter to figure out which specific OIDC client acquired the token which caused 401

Let's say we have 2 clients accessed concurrently. And all the client response filter can see is 401. How to link this 401 to a specific OIDC client ?

[sberyozkin]

@IvanPuntev Well, one can imagine that that the request filter sets an OIDC client name in the request context and the client response filter can check a request context and update that map where client names are keys that the new token is required. It will require though to have a static map in the abstract filter code, and an external retry.

Would you like to experiment and have OIDC Client reactive filter implement client response filter too ?

[IvanPuntev]

@sberyozkin I would like to try implementing this when I have some spare time. I would need some pointers where to start looking in the code to save some time tracing the flow.

[sberyozkin]

@IvanPuntev Can you open an enhancement request please ? I may give it a try as well.

It will have to be optional anyway, there could be code in place, custom response filters which do some work related to 401. There could be a risk of the loop since 401 may be reported on non expired non revoked tokens.

However may be we can do something useful with respect to supporting retries, thanks for driving the conversation

[IvanPuntev]

#44037