For anyone who cares to have refresh tokens working there are a few things that are needed beyond this article (We spent way too much time figuring this out so thought we should share).
- You need to add
OAUTH2_PROXY_SCOPE: "openid email profile offline_access"to your environment.offline_accessis not included by default in Oauth2Proxy and is needed to get a refresh_token. Ref: OAuth 2.0 Scopes (okta.com) - Make sure to set
OAUTH2_PROXY_COOKIE_EXPIREshorter than therefresh token lifetime. Therefresh token lifetimewas hard to find and the default is supposed to be 90days but was 60min on my Okta dev server. Both Access and Refresh Tokens having the same lifetime is problematic unless you use a rotating refresh token in the next step. Refs: ODIC & OAuth 2.0 OKTA token lifetime, Okta Refresh Token Lifetime Does Not Match - Turn on Refresh Token Grant (make rotating if desired) (Make Refresh access tokens and rotate refresh tokens | Okta Developer
- On a secure server Cookies may need
OAUTH2_PROXY_COOKIE_SAMESITE: noneandOAUTH2_PROXY_COOKIE_SECURE: truebut this has not been confirmed.
Notes:
- Oauth2Proxy does not add the
set-Cookieheader unless it is needed so it will not be present in the first call but a call after theOAUTH2_PROXY_COOKIE_REFRESHtime should include it. - To Debug what is returned from the Auth request you can directly access
/oauth2/authby commenting outinternaland inspecting its headers. - In the Oauth2Proxy Logs you will get
refresh-token: trueincluded in a long message if it is being received. - In OKTA
Reports>System Logwill help you check if theRefresh tokenis being sent.
I think that covers it. If I think of anything else I will update. Good Luck