-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support refresh tokens in Vault's OIDC provider #16134
Comments
I'd like to see this as well, or alternatively a recommendation to meet the dual requirements of:
We currently solve these requirements with other oidc id providers (Dex, Keycloak, Ory) by setting id token expiry to 15 minutes and refresh token max lifetime to 30 days. The upstream identity source (google / github / etc...) are consulted every time the refresh token is used, achieving both requirements. Is there a recommended way to achieve the same with Vault? |
I am also interested in this feature. I was hoping to migrate off of Keycloak and move to Vault for Kubernetes OIDC auth, but refresh tokens are a must have. On a related note Keycloak provides several other configuration options that relate to @jeffmccune comment around "user experience" that I'd like to see Vault support -- |
where are we regarding token refresh? This is a must-have for OIDC provider |
Thanks for this feature request, @siepkes! I'm raising this internally for discussion of prioritization. |
@austingebauer any info on your plans for this issue? |
@adampl - I have raised this internally for prioritization but can't comment on when exactly that will happen. Any sentiment around problems this would solve for you will definitely help 🙂 |
Hi folks! Any chances to see RefreshToken support in the near future...? |
hey, any update on RefreshToken support...? Is it scheduled for development or...where are we? |
Is your feature request related to a problem? Please describe.
Currently it is possible to retrieve an
access_token
in Vault but not to extend it's lifetime in a OAuth2 / OIDC compatible way. When creating client applications (such as a single page application or IOS / Android app) you don't want the user to have to re-login every day. However creating an access_token with a really long lifetime is often not desirable.Describe the solution you'd like
I would like Vault to support section 1.5 of the OAuth2 spec, refresh tokens. Allowing me to obtain a new
access_token
(Vault batch token) by using a refresh token. The refresh token is provided to the client at the same time theaccess_token
is provided. In Vault's case the refresh token could be used to extend the lifetime of theaccess_token
to itsmax_ttl
. Theaccess_token
is allowed to change when it is refreshed (as far as I know). Same goes for the refresh token itself.Describe alternatives you've considered
Using the Vault specific API to refresh the token since the OIDC access_token is in essence "juist" a Vault batch token. However that might hurt Vault's OIDC adoption since standard client libraries with support for refresh tokens won't work.
The text was updated successfully, but these errors were encountered: