add backwards compatibility to allow parallel refresh token requests

using envvar OIDC_PARALLEL_REFRESH_ALLOWED Signed-off-by: Hans Zandbelt <[email protected]>
OpenIDC · Oct 25, 2023 · fd30c4c · fd30c4c
1 parent c2eaec1
commit fd30c4c
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,7 @@
 10/25/2023
 - do not apply logout_on_error and authenticate_on_error when a parallel refresh token request is detected
   see https://github.com/OpenIDC/mod_auth_openidc/discussions/1132; thanks @esunke
+- add backwards compatibility option to allow parallel refresh token requests using envvar OIDC_PARALLEL_REFRESH_ALLOWED
 - bump to 2.4.14.5rc0
 
 10/12/2023

diff --git a/src/mod_auth_openidc.c b/src/mod_auth_openidc.c
@@ -1058,6 +1058,8 @@ static void oidc_store_userinfo_claims(request_rec *r, oidc_cfg *c,
 #define OIDC_REFRESH_ERROR_GENERAL				2
 #define OIDC_REFRESH_ERROR_PARALLEL_REFRESH		3
 
+#define OIDC_PARALLEL_REFRESH_ALLOWED_ENVVAR "OIDC_PARALLEL_REFRESH_ALLOWED"
+
 /*
  * execute refresh token grant to refresh the existing access token
  */
@@ -1094,8 +1096,11 @@ static apr_byte_t oidc_refresh_token_grant(request_rec *r, oidc_cfg *c,
 	if (value != NULL) {
 		oidc_warn(r,
 				"refresh token routine called but existing parallel refresh is in progress");
-		*error_code = OIDC_REFRESH_ERROR_PARALLEL_REFRESH;
-		goto end;
+		if (apr_table_get(r->subprocess_env,
+				OIDC_PARALLEL_REFRESH_ALLOWED_ENVVAR) == NULL) {
+			*error_code = OIDC_REFRESH_ERROR_PARALLEL_REFRESH;
+			goto end;
+		}
 	}
 	// "lock" the refresh token best effort; this does not work failsafe in a clustered setup...
 	oidc_cache_set_refresh_token(r, refresh_token, refresh_token,