XOAUTH2 authentication on refresh

[ll4strw]

Hello everybody.

I have roundcube v1.5.2 configured to authenticate users via OAuth with my identity provider. It does work rather well I should say, however I have been observing the following behavior.

A user logs in by being redirected to my identity provider login page ($config['oauth_login_redirect'] = true;). An authorization token with validity of 5 minutes is issued and stored in the browser. If the user requests a refresh of his inbox or roundcube automatically refreshes the inbox view, then roundcube tries contacting to the IMAP server to authenticate that user via XOAUTH2 using an expired token, which clearly results in an authentication error.
In particular, roundcube displays a popup dialog saying AUTHENTICATE XOAUTH2: A0001 NO [AUTHENTICATIONFAILED] Authentication failed.. Would not be better to redirect the user to the identity provider login page?

[thomascube]

Please note that an "authorization token" is not an access token. The latter also isn't stored in your browser but on the Roundcube server only. Please check if your identity provider issues a refresh token alongside with the access token. Refresh tokens are used by Roundcube to request new access tokens once they expire. Some identity providers require a certain scope to be requested in order to issue refresh tokens.

[ll4strw]

Many thanks indeed for your prompt reply. I can confirm my identity provider (keycloak) issues both an access token and a refresh token as you said. Regardless of the token type used to access an inbox and its duration, which might differ from implementation to implementation, would not be better in this instance to replace the rc error popups to redirect the "expired" user to the provider's login page? This would improve the user experience.
PS: Where does rc store the identity tokens?

[ll4strw]

I would like to report also the following related behavior.
I have an access token with validity 5 mins and a refresh token with validity 8 hours. What I observe is that around 5 mins after a successful login, although the reported error popup is shown (presumably because the access token is expired), the client just keeps working fine if the alert is dismissed or ignored (presumably because a refresh token is used?).
Nonetheless, RC fills up the error logs with failed XOAUTH2 attempts around every 5 mins.
I am wondering if this is supposed to be the expected behavior.

[azmeuk]

I can confirm this still happens with roundcube 1.6
By enabling debug logging on dovecot, I can see that the token it received is expired.

[azmeuk]

I think I found the reason. My IDP was misconfigured and gave different values for the token expires_in claim, and the JWT access token exp claim.

I had a expires_in value of 10 days and a exp value of 1 hour. Roundcube was refering to expires_in and considered the token to be still active, but dovecot read the exp claim in the JWT and considered it expired.

[ll4strw]

Hi @azmeuk, which idp are you using?

[azmeuk]

I use canaille. We fixed the inconsistency between exp and expires_in in a new release, and since I do not have the roundcube authentication error anymore.

[ll4strw]

@azmeuk Thanks for the heads up.