Support refresh tokens in Vault's OIDC provider

[siepkes]

Is your feature request related to a problem? Please describe.

Currently it is possible to retrieve an access_token in Vault but not to extend it's lifetime in a OAuth2 / OIDC compatible way. When creating client applications (such as a single page application or IOS / Android app) you don't want the user to have to re-login every day. However creating an access_token with a really long lifetime is often not desirable.

Describe the solution you'd like

I would like Vault to support section 1.5 of the OAuth2 spec, refresh tokens. Allowing me to obtain a new access_token (Vault batch token) by using a refresh token. The refresh token is provided to the client at the same time the access_token is provided. In Vault's case the refresh token could be used to extend the lifetime of the access_token to its max_ttl. The access_token is allowed to change when it is refreshed (as far as I know). Same goes for the refresh token itself.

Describe alternatives you've considered

Using the Vault specific API to refresh the token since the OIDC access_token is in essence "juist" a Vault batch token. However that might hurt Vault's OIDC adoption since standard client libraries with support for refresh tokens won't work.

[jeffmccune]

I'd like to see this as well, or alternatively a recommendation to meet the dual requirements of:

1. Revoke user access globally within 15 minutes.
2. Provide a good user experience, do not require users to go through the full code exchange flow more often than once per (day/week/month).

We currently solve these requirements with other oidc id providers (Dex, Keycloak, Ory) by setting id token expiry to 15 minutes and refresh token max lifetime to 30 days. The upstream identity source (google / github / etc...) are consulted every time the refresh token is used, achieving both requirements. Is there a recommended way to achieve the same with Vault?

[marshallford]

I am also interested in this feature. I was hoping to migrate off of Keycloak and move to Vault for Kubernetes OIDC auth, but refresh tokens are a must have.

On a related note Keycloak provides several other configuration options that relate to @jeffmccune comment around "user experience" that I'd like to see Vault support -- sso_session_idle_timeout, sso_session_max_lifespan, sso_session_idle_timeout_remember_me, sso_session_max_lifespan_remember_me.

[mateuszmidor]

where are we regarding token refresh? This is a must-have for OIDC provider

[austingebauer]

Thanks for this feature request, @siepkes! I'm raising this internally for discussion of prioritization.

[adampl]

@austingebauer any info on your plans for this issue?

[austingebauer]

@adampl - I have raised this internally for prioritization but can't comment on when exactly that will happen. Any sentiment around problems this would solve for you will definitely help 🙂

[mateuszmidor]

Hi folks! Any chances to see RefreshToken support in the near future...?

[mateuszmidor]

hey, any update on RefreshToken support...? Is it scheduled for development or...where are we?