Offline workflows can get into a bad state: failed to delete refresh token

[klarose]

We've been running into an issue occasionally with offline workflows. We aren't 100% sure what is causing it, but I can conceive of at least one case where it is possible.

The symptom is that when a user tries to log in, the attempt fails with the following error:

{"level":"error","msg":"failed to get refresh token: not found","time":"2020-03-12T20:52:12Z"}

This persists until the user's OfflineSession is deleted from the backend storage. This is a fairly serious bug because it requires manual intervention the correct.

The issue seems to occur when the OfflineSession falls out of sync with the RefreshToken table. In particular, if the refresh token corresponding to the ID stored for the client in the offline storage is not present, then attempts to log in will fail in this block of code:

			if oldTokenRef, ok := session.Refresh[tokenRef.ClientID]; ok {
				// Delete old refresh token from storage.
				if err := s.storage.DeleteRefresh(oldTokenRef.ID); err != nil {
					s.logger.Errorf("failed to delete refresh token: %v", err)
					s.tokenErrHelper(w, errServerError, "", http.StatusInternalServerError)
					deleteToken = true
					return
				}
			}

One way this could happen is if dex crashes or is killed between when the above code executes and the code which updates the OfflineSession executes. In that case, the OfflineSession will still point to the refresh token we just deleted, so future calls to the code block will fail, leading to the auth request to fail.

[klarose]

A simple fix to this is to just not fail if we fail to delete the refresh token due to it not being there. If it's not there, what is the problem? I'll submit a PR for this momentarily.