Page MenuHomeSoftware Heritage

auth: Implement access token renewal in OIDC Authorization Code backend
ClosedPublic

Authored by anlambert on Dec 9 2020, 4:24 PM.

Details

Summary

Previously when an access token has expired, the OIDC session was attempted
to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
class.

But silent refresh should only be performed with the OIDC Implicit flow as no
refresh token gets issued in that case.

swh-web uses OIDC Authorization Code flow to login users so that commit
implements access token renewal directly in the django auth backend through
the use of a refresh token.

Currently, refresh token have a living period of 30 minutes, meaning a user
can have its authenticated session in idle state during that period.
If he visits a new web page during that idle period, its authenticated
session will then be renewed for another 30 minutes.

Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware.
The middleware will now simply redirects to the logout page if it detects
the OIDC session has expired.

Diff Detail

Repository
rDWAPPS Web applications
Branch
oidc-pkce-backend-refresh-token
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 17875
Build 27619: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 27618: arc lint + arc unit

Event Timeline

Build is green

Patch application report for D4697 (id=16660)

Rebasing onto bdacba90d0...

Current branch diff-target is up to date.
Changes applied before test
commit 2d0ff0a1a441d45b81e1e36ed19cd92437829a36
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Dec 9 16:10:13 2020 +0100

    auth: Implement access token renewal in OIDC Authorization Code backend
    
    Previously when an access token has expired, the OIDC session was attempted
    to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
    class.
    
    But silent refresh should be performed at last resort when an OIDC session
    just expired. Thus, that commit implements access token renewal directly in
    the django auth backend throug the use of a refresh token.
    
    Currently, refresh token have a living period of 30 minutes, meaning a user
    can have its authenticated session in idle state during that period.
    If he visits a new web page during that idle period, its authenticated
    session will then be renewed for another 30 minutes.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/527/ for more details.

I don't understand the difference between:

when an access token has expired, the OIDC session was attempted
to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
class.

and:

silent refresh should be performed at last resort when an OIDC session
just expired

I don't understand the difference between:

when an access token has expired, the OIDC session was attempted
to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
class.

and:

silent refresh should be performed at last resort when an OIDC session
just expired

That was not clear to me either. I just read again some OIDC documentation and I realized that I mixed up the way an access token gets renewed according to the used authentication flow.
When using OIDC Implicit flow, the access token must be renewed using the silent refresh technique as no refresh token gets provided in that case.
When using OIDC Authorization Code flow, the access token can simply be renewed using the provided refresh token.

swh-web UI uses the Authorization Code flow for user login, so the silent refresh step is not needed anymore now the access token renewal with the refresh token is implemented backend side.
Consequently, I will rename OIDCSessionRefreshMiddleware into OIDCSessionExpiredMiddleware that will simply redirect the user to the logout page once his session expired.

Update:

  • Rebase
  • Remove OIDC silent refresh process as it is not needed with Authorization Code flow
  • Rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware, user will now simply be redirected to logout page when his session has expired

Build is green

Patch application report for D4697 (id=16708)

Rebasing onto 7bd24236ab...

Current branch diff-target is up to date.
Changes applied before test
commit cc350a5b9f5ffc8de0cd2586d8cee6a249c8a01c
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Dec 9 16:10:13 2020 +0100

    auth: Implement access token renewal in OIDC Authorization Code backend
    
    Previously when an access token has expired, the OIDC session was attempted
    to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
    class.
    
    But silent refresh should only be performed with the OIDC Implicit flow as no
    refresh token gets issued in that case.
    
    swh-web uses OIDC Authorization Code flow to login users so that commit
    implements access token renewal directly in the django auth backend through
    the use of a refresh token.
    
    Currently, refresh token have a living period of 30 minutes, meaning a user
    can have its authenticated session in idle state during that period.
    If he visits a new web page during that idle period, its authenticated
    session will then be renewed for another 30 minutes.
    
    Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware.
    The middleware will now simply redirects to the logout page if it detects
    the OIDC session has expired.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/529/ for more details.

Build is green

Patch application report for D4697 (id=16710)

Rebasing onto 7bd24236ab...

Current branch diff-target is up to date.
Changes applied before test
commit bf24e31cdb69ee9ab727c5a9313167934b360088
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Dec 9 16:10:13 2020 +0100

    auth: Implement access token renewal in OIDC Authorization Code backend
    
    Previously when an access token has expired, the OIDC session was attempted
    to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
    class.
    
    But silent refresh should only be performed with the OIDC Implicit flow as no
    refresh token gets issued in that case.
    
    swh-web uses OIDC Authorization Code flow to login users so that commit
    implements access token renewal directly in the django auth backend through
    the use of a refresh token.
    
    Currently, refresh token have a living period of 30 minutes, meaning a user
    can have its authenticated session in idle state during that period.
    If he visits a new web page during that idle period, its authenticated
    session will then be renewed for another 30 minutes.
    
    Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware.
    The middleware will now simply redirects to the logout page if it detects
    the OIDC session has expired.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/530/ for more details.

Cool. Could you just update the commit message and diff description to match the new content of the diff?

anlambert edited the summary of this revision. (Show Details)

Cool. Could you just update the commit message and diff description to match the new content of the diff?

Commit message was already updated, I just updated diff description.

Update: Rebase and update docstring

Build is green

Patch application report for D4697 (id=16767)

Rebasing onto ed7a4a3705...

Current branch diff-target is up to date.
Changes applied before test
commit bc36b5a68687e9e3a817ce8b40e25b24de849303
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Dec 9 16:10:13 2020 +0100

    auth: Implement access token renewal in OIDC Authorization Code backend
    
    Previously when an access token has expired, the OIDC session was attempted
    to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
    class.
    
    But silent refresh should only be performed with the OIDC Implicit flow as no
    refresh token gets issued in that case.
    
    swh-web uses OIDC Authorization Code flow to login users so that commit
    implements access token renewal directly in the django auth backend through
    the use of a refresh token.
    
    Currently, refresh token have a living period of 30 minutes, meaning a user
    can have its authenticated session in idle state during that period.
    If he visits a new web page during that idle period, its authenticated
    session will then be renewed for another 30 minutes.
    
    Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware.
    The middleware will now simply redirects to the logout page if it detects
    the OIDC session has expired.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/537/ for more details.

This revision is now accepted and ready to land.Dec 15 2020, 2:56 PM
This revision was landed with ongoing or failed builds.Jan 5 2021, 10:53 AM
This revision was automatically updated to reflect the committed changes.