-
-
Notifications
You must be signed in to change notification settings - Fork 78
Description
I'm using oauth2-proxy together with rauthy to self-host, but I have issues redeeming refresh_tokens, as I get an error: {"error": "Unauthorized"}, with now apparent further explanation in the logs.
I use Rauthy ghcr.io/sebadob/rauthy:0.26.2-lite (I am unable to upgrade as of yet), and to try to make a more minimal reproduction, I was able to trigger the same behaviour easily using oauth2c.
Is there anything I may have missed with regards to refresh_tokens that may be the reason why I am not able to redeem them? Is there a rate-limit? or dont-use-before or maybe I'm doing something obviously wrong? I can make a more automated minimal reprodution if needs be, just wanted to get the question out before in case it is something obvious I have missed.
# scripts and commands needs oauth2c and jq installed
# run ghcr.io/sebadob/rauthy:0.26.2-lite locally
# set up client as screenshots below show
# update the client-secret in the scripts below
# then execute these two scripts in succession
./start_session.bash > tokens.json
./refresh_session.bash $(cat tokens.json | jq -r '.refresh_token')
start_session.bash
oauth2c \
--client-id test \
--client-secret '7mLGUT2bfyA0Gln0b22j9dEks60WBEXnjyalFVxQ4zXMTmkQNET7bTFNzwNdasDk' \
--insecure \
--pkce \
--scopes "openid profile email offline_access" \
--response-types code \
--response-mode query \
--grant-type authorization_code \
--auth-method client_secret_post \
https://localhost/auth/v1refresh_session.bash
oauth2c \
--client-id test \
--client-secret '7mLGUT2bfyA0Gln0b22j9dEks60WBEXnjyalFVxQ4zXMTmkQNET7bTFNzwNdasDk' \
--insecure \
--pkce \
--scopes "openid profile email offline_access" \
--response-types code \
--response-mode query \
--grant-type refresh_token \
--auth-method client_secret_post \
--refresh-token $1 \
https://localhost/auth/v1This is my client setup

