feat: have OAuth2 Proxy refresh the access token before it expires

I'm basing the default on our existing Cognito pools and clients. This won't work if we need more control: - access tokens expire after 60 minutes, so renew at 59 - refresh tokens expire after 30 days, so the default of 7 days is fine and I haven't made this configurable
chanzuckerberg · Nov 19, 2024 · 816c04f · 816c04f
1 parent cdbd064
commit 816c04f
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 4 deletions.
diff --git a/stack/templates/oidc_proxy.yaml b/stack/templates/oidc_proxy.yaml
@@ -83,6 +83,7 @@ spec:
             - --pass-authorization-header=true
             - --reverse-proxy
             - --skip-jwt-bearer-tokens
+            - --cookie-refresh={{ .Values.oidcProxy.cookieRefresh }}
 
             {{- range $allOIDCProtectedServces }}
             - --upstream={{ . }}

diff --git a/stack/tests/oidc_test.yaml b/stack/tests/oidc_test.yaml
@@ -101,6 +101,7 @@ tests:
       global:
         oidcProxy:
           enabled: true
+          cookieRefresh: 1h23m45s
           skipAuth:
             - method: GET
               path: "/v1/api/docs2"
@@ -127,7 +128,7 @@ tests:
       - documentIndex: 0
         lengthEqual:
           path: spec.template.spec.containers[0].args
-          count: 17
+          count: 18
       - documentIndex: 0
         contains:
           path: spec.template.spec.containers[0].args
@@ -140,6 +141,10 @@ tests:
         contains:
           path: spec.template.spec.containers[0].args
           content: "--skip-auth-route=/v1/api/security/access_token"
+      - documentIndex: 0
+        contains:
+          path: spec.template.spec.containers[0].args
+          content: "--cookie-refresh=1h23m45s"
   - it: overwrites the name
     set:
       global:
@@ -421,7 +426,7 @@ tests:
       - documentIndex: 0
         lengthEqual:
           path: spec.template.spec.containers[0].args
-          count: 21
+          count: 22
       - documentIndex: 0
         contains:
           path: spec.template.spec.containers[0].args

diff --git a/stack/values.schema.json b/stack/values.schema.json
@@ -589,6 +589,11 @@
                             "default": [],
                             "items": {}
                         },
+                        "cookieRefresh": {
+                            "type": "string",
+                            "description": "Refresh tokens and cookies after this period",
+                            "default": "59m"
+                        },
                         "extraArgs": {
                             "type": "array",
                             "description": "Extra arguments to pass to the OIDC proxy",
@@ -645,4 +650,4 @@
             "default": {}
         }
     }
-}
+}
diff --git a/stack/values.yaml b/stack/values.yaml
@@ -318,7 +318,8 @@ global:
     # skipAuth:
     #   - path: "/healthz"
     #     method: GET
-
+    ## @param global.oidcProxy.cookieRefresh Refresh tokens and cookies after this period
+    cookieRefresh: "59m"
     ## @param global.oidcProxy.extraArgs Extra arguments to pass to the OIDC proxy
     extraArgs: []
     # extraArgs: