[doc] 4.5.3.2.1.3 OIDC Tokens

[adianas]

4.5.3.2.1.3 OIDC Tokens

https://documentation.suse.com/suse-caasp/4.1/single-html/caasp-admin/#_oidc_tokens

If possible, please include the errors that users get for this type of situation and slightly adjust the wording to make it more clearer.

errors:
"msg="failed to rotate keys: keys already rotated by another server instance"
"msg="failed to get refresh token: not found"

https://bugzilla.suse.com/show_bug.cgi?id=1165701

This can be reproduced when you log into two different machines as one user and got different id-token/refresh-token pairs and both worked until expired. Then the first machine that logged in received an update, but not the other one. It seems this is expected and here’s the explanation from our engineering:

1. Besides id-token/refresh-token 1:1 mapping, Dex regards one session per user that means refreshing id-token and refresh-token together. If there is a second user trying to login to get a new id-token, Dex will invalidate the previous id and refresh token for the first user which means the first user is still able to use the old id-token until expiration. After that, the first user is not allowed to refresh the id-token by the invalid refresh token but the second user does. (ref: https://github.com/innobead/dex/blob/d928ac0677f214df047b23bd67f54de74acaa47c/server/handlers.go#L732-L751)

2. If sharing the same id-token in many places, all of them can be used until the expiration. Then the first user refreshing the id-token & refresh token will be able to continue accessing the cluster but others will encounter an error Refresh token is invalid or has already been claimed by another client because the refresh token got updated by the first user. (ref: https://github.com/innobead/dex/blob/d928ac0677f214df047b23bd67f54de74acaa47c/server/handlers.go#L905-L926)

What you encountered is refresh token getting updated along with id-token, so there is no ways to keep the same
So, if any token changes (id or refresh), it will cause users encountering claimed by another client. Basically this is OIDC OAuth 2 spec (https://tools.ietf.org/html/rfc6749#page-10), so please suggest user to get id token per user to resolve this issue.

Thanks,