Made OIDC auth renewable according to the refresh token

path_login.go

@@ -5,10 +5,12 @@ package jwtauth
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 
 	"github.com/hashicorp/cap/jwt"
+	"github.com/hashicorp/cap/oidc"
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/vault/sdk/framework"
 	"github.com/hashicorp/vault/sdk/helper/cidrutil"
@@ -219,6 +221,60 @@ func (b *jwtAuthBackend) pathLoginRenew(ctx context.Context, req *logical.Reques
 		return nil, fmt.Errorf("role %s does not exist during renewal", roleName)
 	}
 
+	if tokenString, ok := req.Auth.InternalData["token"]; ok {
+		var token oauth2.Token
+		err = json.Unmarshal(([]byte)(tokenString.(string)), &token)
+		if err != nil {
+			return nil, err
+		}
+		config, err := b.config(ctx, req.Storage)
+		if err != nil {
+			return nil, err
+		}
+		if config == nil {
+			return logical.ErrorResponse("Could not load configuration"), nil
+		}
+		provider, err := b.getProvider(config)
+		if err != nil {
+			return nil, fmt.Errorf("error getting provider for login operation: %w", err)
+		}
+		discovery, err := provider.DiscoveryInfo(ctx)
+		if err != nil {
+			return nil, err
+		}
+		pctx, err := provider.HTTPClientContext(ctx)
+		if err != nil {
+			return nil, err
+		}
+		oauth2Config := oauth2.Config{
+			ClientID:     config.OIDCClientID,
+			ClientSecret: config.OIDCClientSecret,
+			Endpoint: oauth2.Endpoint{
+				AuthURL:  discovery.AuthURL,
+				TokenURL: discovery.TokenURL,
+			},
+		}
+		ts := oauth2Config.TokenSource(pctx, &token)
+
+		// do a quick check to make sure we can get a fresh token
+		newToken, err := ts.Token()
+		if err != nil {
+			return nil, err
+		}
+		if newToken == nil {
+			return nil, errors.New("failed to retrieve new access token from refresh")
+		}
+
+		// if we have a fresh identity token then use it to get a fresh identity
+		if idToken, ok := newToken.Extra("id_token").(string); ok {
+			tk, err := oidc.NewToken(oidc.IDToken(idToken), newToken)
+			if err != nil {
+				return nil, err
+			}
+			return b.oidcEstablish(ctx, provider, roleName, role, tk, oidc.IDToken(idToken))
+		}
+	}
+
 	resp := &logical.Response{Auth: req.Auth}
 	resp.Auth.TTL = role.TokenTTL
 	resp.Auth.MaxTTL = role.TokenMaxTTL

path_oidc.go

@@ -273,6 +273,10 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
 		b.Logger().Debug("OIDC provider response", "id_token", loggedToken)
 	}
 
+	return b.oidcEstablish(ctx, provider, roleName, role, token, rawToken)
+}
+
+func (b *jwtAuthBackend) oidcEstablish(ctx context.Context, provider *oidc.Provider, roleName string, role *jwtRole, token *oidc.Tk, rawToken oidc.IDToken) (*logical.Response, error) {
 	// Parse claims from the ID token payload.
 	var allClaims map[string]interface{}
 	if err := rawToken.Claims(&allClaims); err != nil {
@@ -333,17 +337,30 @@ func (b *jwtAuthBackend) pathCallback(ctx context.Context, req *logical.Request,
 		tokenMetadata[k] = v
 	}
 
+	internalData := map[string]interface{}{
+		"role": roleName,
+	}
+	if token != nil {
+		tokenData, err := json.Marshal(oauth2.Token{
+			AccessToken:  token.AccessToken().String(),
+			RefreshToken: token.RefreshToken().String(),
+			Expiry:       token.Expiry(),
+		})
+		if err != nil {
+			return nil, err
+		}
+		internalData["token"] = string(tokenData)
+	}
+
 	auth := &logical.Auth{
 		Policies:     role.Policies,
 		DisplayName:  alias.Name,
 		Period:       role.Period,
 		NumUses:      role.NumUses,
 		Alias:        alias,
 		GroupAliases: groupAliases,
-		InternalData: map[string]interface{}{
-			"role": roleName,
-		},
-		Metadata: tokenMetadata,
+		InternalData: internalData,
+		Metadata:     tokenMetadata,
 		LeaseOptions: logical.LeaseOptions{
 			Renewable: true,
 			TTL:       role.TTL,