HomeSoftware Heritage

auth: Implement access token renewal in OIDC Authorization Code backend

Description

auth: Implement access token renewal in OIDC Authorization Code backend

Previously when an access token has expired, the OIDC session was attempted
to be silently refreshed through the use of the OIDCSessionRefreshMiddleware
class.

But silent refresh should only be performed with the OIDC Implicit flow as no
refresh token gets issued in that case.

swh-web uses OIDC Authorization Code flow to login users so that commit
implements access token renewal directly in the django auth backend through
the use of a refresh token.

Currently, refresh token have a living period of 30 minutes, meaning a user
can have its authenticated session in idle state during that period.
If he visits a new web page during that idle period, its authenticated
session will then be renewed for another 30 minutes.

Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware.
The middleware will now simply redirects to the logout page if it detects
the OIDC session has expired.

Details

Provenance
anlambertAuthored on Dec 9 2020, 4:10 PM
anlambertPushed on Jan 5 2021, 10:53 AM
Differential Revision
D4697: auth: Implement access token renewal in OIDC Authorization Code backend
Parents
rDWAPPSe131fa7ae236: Don't log throttle config passthrough to Sentry.
Branches
Unknown
Tags
Unknown
Build Status
Buildable 18169
Build 28045: test-and-build