Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
2.22.0
-
None
-
Unknown
-
Description
After upgrading the OIDC Authenticator to 2.22.0, login via OIDC callback fails with a 500 error for all users (""Cannot refresh the access token because there is no refresh token" immediately after token issuance"). Downgrading to the previous version resolves the issue, confirming this is a regression introduced in 2.22.0.
Observed behavior:
The token exchange with the IdP completes successfully. The token response contains a valid access token with "expires_in":600. Immediately after — within the same second — the plugin logs:
DEBUG o.x.c.o.a.i.OIDCUserManager - The access token is expired, refreshing...
Since the IdP does not provide a refresh token, the subsequent refresh attempt fails:
InvalidAccessTokenException: Cannot refresh the access token because there is no refresh token
This causes a 500 error on the OIDC callback endpoint, making login impossible.
Relevant log excerpt:
{{08:59:21 DEBUG OIDCTokenRequestHelper - OIDC Token response (
)
08:59:21 DEBUG OIDCUserManager - The access token is expired, refreshing...
08:59:21 DEBUG OIDCResourceReferenceHandler - Failed to handle the OIDC endpoint
org.xwiki.contrib.oidc.auth.internal.InvalidAccessTokenException: Cannot refresh the access token because there is no refresh token}}
Token issuance and expiry check happen in the same second, suggesting the expiry evaluation is incorrect.
Expected behavior:
A freshly issued token with expires_in:600 should not be considered expired immediately. The plugin should use it to call the UserInfo endpoint without attempting a refresh.
Workaround:
None found within 2.22.0. oidc.userinforefreshrate=0 does not prevent this code path. Downgrade to the previous version resolves the issue.
Steps to reproduce:
- Configure OIDC Authenticator 2.22.0 against a Shibboleth IdP that does not issue refresh tokens
- Attempt login
- Observe 500 on the OIDC callback