GitHub Authentication keeps valid after user is removed from org or team

[lfventura]

Good night,

I am using this tool to authenticate on Github... I did some tests and if I remove the access from a user the user keeps able to login into my application.

If the user keeps navigating in the page their session is kept valid during this time...
If the Cookie gets expired (User idle) then he is unable to login again...
So the issue is: The user permission is not refreshed while the cookie is valid.

Besides that, is there any way that I can delete the user token directly at the oauth2_proxy?

[ploxiln]

The cookie is not refreshed until -cookie-refresh and it should re-check auth at that time.

There is no way to invalidate the cookie separately/individually before it is refreshed or expired. You could only change the cookie-secret used to sign the cookies, which would invalidate all cookies/sessions.