Differential D3849

auth/backends: Use offline refresh token for Web API authentication
ClosedPublic
Actions

Authored by anlambert on Aug 27 2020, 11:54 AM.

Details

Reviewers

vlorentz

Group Reviewers

Reviewers

Maniphest Tasks

T1927: Web app: rate limiting based on per-client API tokens

Commits

rDWAPPS3250335c25c5: auth/backends: Use offline refresh token for Web API authentication

Summary

Previously for authenticating a Web API request, users have to sent an access token
provided by Keycloak in HTTP authorization headers. But those tokens are short
lived (usually a couple of minutes) and authentication will fail once they
expired. So to get a new access token without login again, users have to
ask a new one to Keycloak using a refresh token (generated at the same time
than the access one).

So for users that need to make a large amount of authenticated API calls,
they need to implement the token renewal logic from their side
(see swh-web-client for instance).

For commodity of use for Web API users, simplify the OIDC authentication worflow
by handling access token renewal directly in the DRF authentication backend.

This means once a user gets his offline refresh token, he can store it and uses
it to authenticate all his API calls until the token gets revocated.

To limit the number of requests sent to the authentication provider (Keycloak),
access tokens are put in cache until they expire (usually a couple of minutes).

Related to T1927

Diff Detail

Repository

rDWAPPS Web applications

Lint

Automatic diff as part of commit; lint not applicable.

Unit

Automatic diff as part of commit; unit tests not applicable.

Event Timeline

anlambert created this revision.Aug 27 2020, 11:54 AM

Herald added a reviewer: Reviewers. · View Herald TranscriptAug 27 2020, 11:54 AM

Build is green

Patch application report for D3849 (id=13597)

Rebasing onto b6820d3fcb...

Current branch diff-target is up to date.

Changes applied before test

commit 998bdea8a558053fbcbe99e40ca10ce43621df1b
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Thu Aug 27 11:27:28 2020 +0200

    auth/backends: Use offline refresh token for Web API authentication
    
    For commodity of use for Web API users, simplify the OIDC authentication worflow
    by handling access token renewal directly in the DRF authentication backend.
    
    This means once a user gets it offline refresh token, he can store it and use
    it to authenticate all its API calls until the token gets revocated.
    
    To limit the number of requests sent to the authentication provider (Keycloak),
    access tokens are put in cache until they expires (usually a couple of minutes).
    
    Related to T1927

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/343/ for more details.

Harbormaster completed remote builds in B14827: Diff 13597.Aug 27 2020, 12:02 PM

Fix typos in commit message

anlambert edited the summary of this revision. (Show Details)Aug 27 2020, 12:10 PM

Build is green

Patch application report for D3849 (id=13598)

Rebasing onto b6820d3fcb...

Current branch diff-target is up to date.

Changes applied before test

commit eb6b9418d18960031a1740517bf9b75dce48c016
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Thu Aug 27 11:27:28 2020 +0200

    auth/backends: Use offline refresh token for Web API authentication
    
    For commodity of use for Web API users, simplify the OIDC authentication worflow
    by handling access token renewal directly in the DRF authentication backend.
    
    This means once a user gets his offline refresh token, he can store it and uses
    it to authenticate all his API calls until the token gets revocated.
    
    To limit the number of requests sent to the authentication provider (Keycloak),
    access tokens are put in cache until they expire (usually a couple of minutes).
    
    Related to T1927

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/344/ for more details.

Harbormaster completed remote builds in B14828: Diff 13598.Aug 27 2020, 12:15 PM

anlambert added a child revision: D3850: auth: Simplify authentication after changes in swh-web.Aug 27 2020, 1:42 PM

vlorentz accepted this revision.Aug 27 2020, 5:01 PM

vlorentz added a subscriber: vlorentz.

vlorentz added inline comments.

swh/web/auth/backends.py
145	should probably catch the UnicodeEncodeError to show a better error message (and 400 status)

This revision is now accepted and ready to land.Aug 27 2020, 5:01 PM

Update: Address @vlorentz comment

Build is green

Patch application report for D3849 (id=13601)

Rebasing onto b6820d3fcb...

Current branch diff-target is up to date.

Changes applied before test

commit 3250335c25c551f8712c6985ddad0c89c24ea20f
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Thu Aug 27 11:27:28 2020 +0200

    auth/backends: Use offline refresh token for Web API authentication
    
    For commodity of use for Web API users, simplify the OIDC authentication worflow
    by handling access token renewal directly in the DRF authentication backend.
    
    This means once a user gets his offline refresh token, he can store it and uses
    it to authenticate all his API calls until the token gets revocated.
    
    To limit the number of requests sent to the authentication provider (Keycloak),
    access tokens are put in cache until they expire (usually a couple of minutes).
    
    Related to T1927

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/345/ for more details.

Harbormaster completed remote builds in B14831: Diff 13601.Aug 27 2020, 5:44 PM

Closed by commit rDWAPPS3250335c25c5: auth/backends: Use offline refresh token for Web API authentication (authored by anlambert). · Explain WhyAug 27 2020, 6:51 PM

This revision was automatically updated to reflect the committed changes.

anlambert added a commit: rDWAPPS3250335c25c5: auth/backends: Use offline refresh token for Web API authentication.