Changeset View
Changeset View
Standalone View
Standalone View
swh/web/auth/middlewares.py
- This file was added.
# Copyright (C) 2020 The Software Heritage developers | |||||
# See the AUTHORS file at the top-level directory of this distribution | |||||
# License: GNU Affero General Public License version 3, or any later version | |||||
# See top-level LICENSE file for more information | |||||
from django.contrib.auth import BACKEND_SESSION_KEY | |||||
from django.http.response import HttpResponseRedirect | |||||
from swh.web.common.utils import reverse | |||||
class OIDCSessionRefreshMiddleware: | |||||
""" | |||||
Middleware for silently refreshing on OpenID Connect session from | |||||
the browser and get new access token. | |||||
""" | |||||
def __init__(self, get_response=None): | |||||
self.get_response = get_response | |||||
self.exempted_urls = [ | |||||
reverse(v) for v in ('logout', | |||||
'oidc-login', | |||||
'oidc-login-complete', | |||||
'oidc-logout') | |||||
] | |||||
def __call__(self, request): | |||||
if (request.method != 'GET' | |||||
or request.user.is_authenticated | |||||
or BACKEND_SESSION_KEY not in request.session | |||||
or 'OIDC' not in request.session[BACKEND_SESSION_KEY] | |||||
or request.path in self.exempted_urls): | |||||
return self.get_response(request) | |||||
# At that point, we know that a OIDC user was previously logged in. | |||||
# Access token has expired so we attempt a silent OIDC session refresh. | |||||
# If the latter failed because the session expired, user will be | |||||
# redirected to logout page and a link will be offered to login again. | |||||
vlorentz: I don't understand: "If the latter failed [...], user will be redirected"
but I don't see a… | |||||
Done Inline ActionsIndeed, the conditional processing and logout redirection is handled in the oidc-login-complete view as this is the place where we can check if a silent refresh (or relogin) failed or not based on the OIDC server response. anlambert: Indeed, the conditional processing and logout redirection is handled in the `oidc-login… | |||||
Done Inline ActionsI will update that comment to point to the oidc-login-complete view implementation for a better understanding of that process. anlambert: I will update that comment to point to the `oidc-login-complete` view implementation for a… | |||||
# See implementation of "oidc-login-complete" view for more details. | |||||
next_path = request.get_full_path() | |||||
redirect_url = reverse('oidc-login', | |||||
query_params={'next_path': next_path, | |||||
'prompt': 'none'}) | |||||
return HttpResponseRedirect(redirect_url) |
I don't understand: "If the latter failed [...], user will be redirected"
but I don't see a conditional in the code