fix: support IdPs with 5 min token expiry and no refresh flow MONGOSH-2498 (#232)

Before this change, our OIDC plugin could exhibit undesirable behavior in a
specific configuration edge case, which, unfortunately, matches the default
behavior of at least one identity provider software.

Specifically, Ping Identity software does not typically provide us with
JWTs that are usable for authentication and authorization, so users may
opt to use ID tokens instead. Ping, however, by default does not provide
clients with new ID tokens on a refresh operations, and also only gives
those tokens a default validity of 5 minutes.

(We do recommend to Ping customers to enable passing new ID tokens on
refresh if they have this setup.)

However, 5 minutes also happens to be the time at which the plugin
prefers either refreshing tokens or prompting the user for re-authentication
instead of re-using tokens with a short leftover validity.

This means that when the driver requests a new token multiple times, or
multiple driver instances request tokens in quick succession (which can
easily happen, especially if they used the same token beforehand, which
obviously then expires at around the same time for each driver), the
plugin would try to refresh the token, then when that failed, prompt
the user for a new authentication attempt not just once every minutes,
but multiple times in quick succession as well.

To avoid this issue, we refactor the code that chooses a token acquisition
mechanism so that even if the current token still has a leftover validity
of less than 5 minutes and refreshing fails, we still keep using it until
the driver signals to us that it has become fully unusable.

Author: addaleax

src/plugin.spec.ts

@@ -1299,6 +1299,41 @@ describe('OIDC plugin (mock OIDC provider)', function () {
     additionalIssuerMetadata = undefined;
   });
 
+  context('with a broken token refresh flow', function () {
+    let plugin: MongoDBOIDCPlugin;
+
+    beforeEach(function () {
+      plugin = createMongoDBOIDCPlugin({
+        openBrowserTimeout: 60_000,
+        openBrowser: fetchBrowser,
+        allowedFlows: ['auth-code'],
+        redirectURI: 'http://localhost:0/callback',
+      });
+
+      overrideRequestHandler = (url, req, res) => {
+        if (new URL(url).searchParams.get('grant_type') === 'refresh_token') {
+          res.writeHead(500);
+          res.end('Internal Server Error');
+        }
+      };
+    });
+
+    it('will keep using an unexpired token if the refresh endpoint is broken even if refresh is overdue', async function () {
+      getTokenPayload = () => {
+        return { ...tokenPayload, expires_in: 60 /* one minute */ };
+      };
+      const req = async () =>
+        await requestToken(plugin, {
+          issuer: provider.issuer,
+          clientId: 'mockclientid',
+          requestScopes: [],
+        });
+      const result1 = await req();
+      const result2 = await req();
+      expect(result1).to.deep.equal(result2);
+    });
+  });
+
   context('with different supported built-in scopes', function () {
     let getScopes: () => Promise<string[]>;
 

src/plugin.ts

@@ -964,27 +964,46 @@ export class MongoDBOIDCPluginImpl implements MongoDBOIDCPlugin {
 
     try {
       get_tokens: {
-        if (
-          !forceRefreshOrReauth &&
-          tokenExpiryInSeconds(
-            state.currentTokenSet?.set,
-            passIdTokenAsAccessToken
-          ) >
-            5 * 60
-        ) {
+        const currentSetExpiresInSeconds = tokenExpiryInSeconds(
+          state.currentTokenSet?.set,
+          passIdTokenAsAccessToken
+        );
+        // If the current token set has a decent amount of validity, just keep using it.
+        if (!forceRefreshOrReauth && currentSetExpiresInSeconds > 5 * 60) {
           this.logger.emit('mongodb-oidc-plugin:skip-auth-attempt', {
             authStateId: state.id,
             reason: 'not-expired',
           });
           break get_tokens;
         }
+        // If the current token set is close to expiry, try to acquire a fresh token
+        // if possible.
         if (await state.currentTokenSet?.tryRefresh?.()) {
           this.logger.emit('mongodb-oidc-plugin:skip-auth-attempt', {
             authStateId: state.id,
             reason: 'refresh-succeeded',
           });
           break get_tokens;
         }
+        // If the current token set is close to expiry, and refreshing failed, that can
+        // just mean that the token refresh mechanism are not available.
+        // We want to avoid a situation in which two initiateAuthAttempt() calls are made
+        // right after each other, the token returned from the first one has a short validity
+        // (i.e. up to or less than 5 minutes), and the second one then ignores the token
+        // from the first one, effectively keeping the user in a loop of 'overly' eager
+        // re-authentication interactions.
+        // This means we effectively have a minimum requirement of tokens being valid
+        // for at least 10 seconds after being issued OR a working token refresh flow, which
+        // seems like a reasonable expectation.
+        if (!forceRefreshOrReauth && currentSetExpiresInSeconds > 10) {
+          this.logger.emit('mongodb-oidc-plugin:skip-auth-attempt', {
+            authStateId: state.id,
+            reason: 'not-expired-refresh-failed',
+          });
+          break get_tokens;
+        }
+        // If no automatic mechanism for acquiring a token is available, we need to start
+        // an authentication flow that (typically) involves user interaction.
         state.currentTokenSet = null;
         let error;
         const currentAllowedFlowSet = await this.getAllowedFlows({ signal });

src/types.ts

@@ -81,7 +81,7 @@ export interface MongoDBOIDCLogEventsMap {
   }) => void;
   'mongodb-oidc-plugin:skip-auth-attempt': (event: {
     authStateId: string;
-    reason: string;
+    reason: 'not-expired' | 'not-expired-refresh-failed' | 'refresh-succeeded';
   }) => void;
   'mongodb-oidc-plugin:auth-failed': (event: {
     authStateId: string;