Page MenuHomeSoftware Heritage
Differential D4697

auth: Implement access token renewal in OIDC Authorization Code backend
ClosedPublic
Actions

Authored by anlambert on Dec 9 2020, 4:24 PM.

Details

Reviewers
vlorentz
Group Reviewers
Reviewers
Commits
rDWAPPS6499c518d0b5: auth: Implement access token renewal in OIDC Authorization Code backend
Summary

Previously when an access token has expired, the OIDC session was attempted
to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
class.

But silent refresh should only be performed with the OIDC Implicit flow as no
refresh token gets issued in that case.

swh-web uses OIDC Authorization Code flow to login users so that commit
implements access token renewal directly in the django auth backend through
the use of a refresh token.

Currently, refresh token have a living period of 30 minutes, meaning a user
can have its authenticated session in idle state during that period.
If he visits a new web page during that idle period, its authenticated
session will then be renewed for another 30 minutes.

Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware.
The middleware will now simply redirects to the logout page if it detects
the OIDC session has expired.

Diff Detail

Repository
rDWAPPS Web applications
Branch
oidc-pkce-backend-refresh-token
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 18166
Build 28041: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 28040: arc lint + arc unit

Event Timeline

anlambert created this revision.Dec 9 2020, 4:24 PM
Herald added a reviewer: Reviewers. · View Herald TranscriptDec 9 2020, 4:24 PM
swh-public-ci added a comment.Dec 9 2020, 4:32 PM

Build is green

Patch application report for D4697 (id=16660)

Rebasing onto bdacba90d0...

Current branch diff-target is up to date.
Changes applied before test
commit 2d0ff0a1a441d45b81e1e36ed19cd92437829a36
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Dec 9 16:10:13 2020 +0100

    auth: Implement access token renewal in OIDC Authorization Code backend
    
    Previously when an access token has expired, the OIDC session was attempted
    to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
    class.
    
    But silent refresh should be performed at last resort when an OIDC session
    just expired. Thus, that commit implements access token renewal directly in
    the django auth backend throug the use of a refresh token.
    
    Currently, refresh token have a living period of 30 minutes, meaning a user
    can have its authenticated session in idle state during that period.
    If he visits a new web page during that idle period, its authenticated
    session will then be renewed for another 30 minutes.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/527/ for more details.

Harbormaster completed remote builds in B17834: Diff 16660.Dec 9 2020, 4:32 PM
vlorentz added a subscriber: vlorentz.Dec 10 2020, 2:56 PM

I don't understand the difference between:

when an access token has expired, the OIDC session was attempted
to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
class.

and:

silent refresh should be performed at last resort when an OIDC session
just expired

anlambert added a comment.Dec 10 2020, 3:58 PM
In D4697#117770, @vlorentz wrote:

I don't understand the difference between:

when an access token has expired, the OIDC session was attempted
to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
class.

and:

silent refresh should be performed at last resort when an OIDC session
just expired

That was not clear to me either. I just read again some OIDC documentation and I realized that I mixed up the way an access token gets renewed according to the used authentication flow.
When using OIDC Implicit flow, the access token must be renewed using the silent refresh technique as no refresh token gets provided in that case.
When using OIDC Authorization Code flow, the access token can simply be renewed using the provided refresh token.

swh-web UI uses the Authorization Code flow for user login, so the silent refresh step is not needed anymore now the access token renewal with the refresh token is implemented backend side.
Consequently, I will rename OIDCSessionRefreshMiddleware into OIDCSessionExpiredMiddleware that will simply redirect the user to the logout page once his session expired.

anlambert updated this revision to Diff 16708.Dec 10 2020, 4:30 PM

Update:

  • Rebase
  • Remove OIDC silent refresh process as it is not needed with Authorization Code flow
  • Rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware, user will now simply be redirected to logout page when his session has expired
swh-public-ci added a comment.Dec 10 2020, 4:37 PM

Build is green

Patch application report for D4697 (id=16708)

Rebasing onto 7bd24236ab...

Current branch diff-target is up to date.
Changes applied before test
commit cc350a5b9f5ffc8de0cd2586d8cee6a249c8a01c
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Dec 9 16:10:13 2020 +0100

    auth: Implement access token renewal in OIDC Authorization Code backend
    
    Previously when an access token has expired, the OIDC session was attempted
    to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
    class.
    
    But silent refresh should only be performed with the OIDC Implicit flow as no
    refresh token gets issued in that case.
    
    swh-web uses OIDC Authorization Code flow to login users so that commit
    implements access token renewal directly in the django auth backend through
    the use of a refresh token.
    
    Currently, refresh token have a living period of 30 minutes, meaning a user
    can have its authenticated session in idle state during that period.
    If he visits a new web page during that idle period, its authenticated
    session will then be renewed for another 30 minutes.
    
    Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware.
    The middleware will now simply redirects to the logout page if it detects
    the OIDC session has expired.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/529/ for more details.

Harbormaster completed remote builds in B17873: Diff 16708.Dec 10 2020, 4:37 PM
anlambert updated this revision to Diff 16710.Dec 10 2020, 4:44 PM

Update comment

swh-public-ci added a comment.Dec 10 2020, 4:52 PM

Build is green

Patch application report for D4697 (id=16710)

Rebasing onto 7bd24236ab...

Current branch diff-target is up to date.
Changes applied before test
commit bf24e31cdb69ee9ab727c5a9313167934b360088
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Dec 9 16:10:13 2020 +0100

    auth: Implement access token renewal in OIDC Authorization Code backend
    
    Previously when an access token has expired, the OIDC session was attempted
    to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
    class.
    
    But silent refresh should only be performed with the OIDC Implicit flow as no
    refresh token gets issued in that case.
    
    swh-web uses OIDC Authorization Code flow to login users so that commit
    implements access token renewal directly in the django auth backend through
    the use of a refresh token.
    
    Currently, refresh token have a living period of 30 minutes, meaning a user
    can have its authenticated session in idle state during that period.
    If he visits a new web page during that idle period, its authenticated
    session will then be renewed for another 30 minutes.
    
    Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware.
    The middleware will now simply redirects to the logout page if it detects
    the OIDC session has expired.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/530/ for more details.

Harbormaster completed remote builds in B17875: Diff 16710.Dec 10 2020, 4:52 PM
vlorentz added a comment.Dec 11 2020, 11:40 AM

Cool. Could you just update the commit message and diff description to match the new content of the diff?

anlambert edited the summary of this revision. (Show Details)Dec 11 2020, 12:41 PM
anlambert edited the summary of this revision. (Show Details)
In D4697#117884, @vlorentz wrote:

Cool. Could you just update the commit message and diff description to match the new content of the diff?

Commit message was already updated, I just updated diff description.

anlambert updated this revision to Diff 16767.Dec 14 2020, 1:34 PM

Update: Rebase and update docstring

swh-public-ci added a comment.Dec 14 2020, 1:41 PM

Build is green

Patch application report for D4697 (id=16767)

Rebasing onto ed7a4a3705...

Current branch diff-target is up to date.
Changes applied before test
commit bc36b5a68687e9e3a817ce8b40e25b24de849303
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Dec 9 16:10:13 2020 +0100

    auth: Implement access token renewal in OIDC Authorization Code backend
    
    Previously when an access token has expired, the OIDC session was attempted
    to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
    class.
    
    But silent refresh should only be performed with the OIDC Implicit flow as no
    refresh token gets issued in that case.
    
    swh-web uses OIDC Authorization Code flow to login users so that commit
    implements access token renewal directly in the django auth backend through
    the use of a refresh token.
    
    Currently, refresh token have a living period of 30 minutes, meaning a user
    can have its authenticated session in idle state during that period.
    If he visits a new web page during that idle period, its authenticated
    session will then be renewed for another 30 minutes.
    
    Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware.
    The middleware will now simply redirects to the logout page if it detects
    the OIDC session has expired.

See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/537/ for more details.

Harbormaster completed remote builds in B17926: Diff 16767.Dec 14 2020, 1:41 PM
vlorentz accepted this revision.Dec 15 2020, 2:56 PM
This revision is now accepted and ready to land.Dec 15 2020, 2:56 PM
anlambert updated this revision to Diff 17028.Jan 5 2021, 10:31 AM

Rebase

This revision was landed with ongoing or failed builds.Jan 5 2021, 10:53 AM
Closed by commit rDWAPPS6499c518d0b5: auth: Implement access token renewal in OIDC Authorization Code backend (authored by anlambert). · Explain Why
This revision was automatically updated to reflect the committed changes.
anlambert added a commit: rDWAPPS6499c518d0b5: auth: Implement access token renewal in OIDC Authorization Code backend.

Revision Contents
Changeset List

PathSize
swh/
web/
auth/
26 lines
20 lines
13 lines
settings/
2 lines
tests/
auth/
62 lines
35 lines
44 lines

Diff 17028

View Options

swh/web/auth/backends.py

Loading...
View Options

swh/web/auth/middlewares.py

Loading...
View Options

swh/web/auth/views.py

Loading...
View Options

swh/web/settings/common.py

Loading...
View Options

swh/web/tests/auth/test_backends.py

Loading...
View Options

swh/web/tests/auth/test_middlewares.py

Loading...
View Options

swh/web/tests/auth/test_views.py

Loading...
About · Developer information · Legal