Changeset View
Changeset View
Standalone View
Standalone View
swh/web/auth/middlewares.py
- This file was added.
| # Copyright (C) 2020 The Software Heritage developers | |||||
| # See the AUTHORS file at the top-level directory of this distribution | |||||
| # License: GNU Affero General Public License version 3, or any later version | |||||
| # See top-level LICENSE file for more information | |||||
| from django.contrib.auth import BACKEND_SESSION_KEY | |||||
| from django.http.response import HttpResponseRedirect | |||||
| from swh.web.common.utils import reverse | |||||
| class OIDCSessionRefreshMiddleware: | |||||
| """ | |||||
| Middleware for silently refreshing on OpenID Connect session from | |||||
| the browser and get new access token. | |||||
| """ | |||||
| def __init__(self, get_response=None): | |||||
| self.get_response = get_response | |||||
| self.exempted_urls = [ | |||||
| reverse(v) for v in ('logout', | |||||
| 'oidc-login', | |||||
| 'oidc-login-complete', | |||||
| 'oidc-logout') | |||||
| ] | |||||
| def __call__(self, request): | |||||
| if (request.method != 'GET' | |||||
| or request.user.is_authenticated | |||||
| or BACKEND_SESSION_KEY not in request.session | |||||
| or 'OIDC' not in request.session[BACKEND_SESSION_KEY] | |||||
| or request.path in self.exempted_urls): | |||||
| return self.get_response(request) | |||||
| # At that point, we know that a OIDC user was previously logged in. | |||||
| # Access token has expired so we attempt a silent OIDC session refresh. | |||||
| # If the latter failed because the session expired, user will be | |||||
| # redirected to logout page and a link will be offered to login again. | |||||
vlorentz: I don't understand: "If the latter failed [...], user will be redirected"
but I don't see a… | |||||
Done Inline ActionsIndeed, the conditional processing and logout redirection is handled in the oidc-login-complete view as this is the place where we can check if a silent refresh (or relogin) failed or not based on the OIDC server response. anlambert: Indeed, the conditional processing and logout redirection is handled in the `oidc-login… | |||||
Done Inline ActionsI will update that comment to point to the oidc-login-complete view implementation for a better understanding of that process. anlambert: I will update that comment to point to the `oidc-login-complete` view implementation for a… | |||||
| # See implementation of "oidc-login-complete" view for more details. | |||||
| next_path = request.get_full_path() | |||||
| redirect_url = reverse('oidc-login', | |||||
| query_params={'next_path': next_path, | |||||
| 'prompt': 'none'}) | |||||
| return HttpResponseRedirect(redirect_url) | |||||
I don't understand: "If the latter failed [...], user will be redirected"
but I don't see a conditional in the code