Change Details

Previously when an access token has expired, the OIDC session was attempted to be silently refreshed through the use of the OIDCSessionRefreshMiddleware class. But silent refresh should be performed at last resort when an OIDC session just expired. Thus, that diff implements access token renewal directly in the django auth backend throug the use of a refresh token. Currently, refresh token have a living period of 30 minutes, meaning a user can have its authenticated session in idle state during that period. If he visits a new web page during that idle period, its authenticated session will then be renewed for another 30 minutes.

Previously when an access token has expired, the OIDC session was attempted to be silently refreshed through the use of the OIDCSessionRefreshMiddleware class. But silent refresh should only be performed with the OIDC Implicit flow as no refresh token gets issued in that case. swh-web uses OIDC Authorization Code flow to login users so that commit implements access token renewal directly in the django auth backend through the use of a refresh token. Currently, refresh token have a living period of 30 minutes, meaning a user can have its authenticated session in idle state during that period. If he visits a new web page during that idle period, its authenticated session will then be renewed for another 30 minutes. Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware. The middleware will now simply redirects to the logout page if it detects the OIDC session has expired.

Previously when an access token has expired, the OIDC session was attempted to be silently refreshed through the use of the OIDCSessionRefreshMiddleware class. But silent refresh should be performed at last resort when an OIDC session just expired. Thus, that diff implements access token renewal directly inBut silent refresh should only be performed with the OIDC Implicit flow as no refresh token gets issued in that case. swh-web uses OIDC Authorization Code flow to login users so that commit implements access token renewal directly in the django auth backend through the use of a refresh token. Currently, refresh token have a living period of 30 minutes, meaning a user can have its authenticated session in idle state during that period. If he visits a new web page during that idle period, its authenticated session will then be renewed for another 30 minutes. Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware. The middleware will now simply redirects to the logout page if it detects the OIDC session has expired.