Merge pull request #209 from zmartzone/create_new_session_on_refresh

bodewig · web-flow · commit e131b08f7a00 · 2018-10-16T13:16:04.000+02:00
create a new session id when the token has been refreshed
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,8 @@
+10/16/2018
+- lua-resty-openidc now creates a new session whenever the token(s)
+  are refreshed, trying to soften the impact when multiple requests
+  race to refresh the token at the same time. See #190 and #209
+
 10/11/2018
 - url-encode client_id/client_secret; closes #204 and #205; thanks @grrolland
   https://tools.ietf.org/html/rfc6749#section-2.3.1
diff --git a/lib/resty/openidc.lua b/lib/resty/openidc.lua
@@ -1202,8 +1202,13 @@ local function openidc_access_token(opts, session, try_to_renew)
     end
   end
 
-  -- save the session with the new access_token and optionally the new refresh_token and id_token
-  session:save()
+  -- save the session with the new access_token and optionally the new refresh_token and id_token using a new sessionid
+  local regenerated
+  regerenerated, err = session:regenerate()
+  if err then
+    log(ERROR, "failed to regenerate session: " .. err)
+    return nil, err
+  end
 
   return session.data.access_token, err
 end
