Skip to content
Snippets Groups Projects

auth/backends: Use offline refresh token for Web API authentication

Closed auth/backends: Use offline refresh token for Web API authentication
generated-differential-D3849-source into generated-differential-D3849-target
1 unresolved thread
Closed Antoine Lambert requested to merge generated-differential-D3849-source into generated-differential-D3849-target
1 unresolved thread

Previously for authenticating a Web API request, users have to sent an access token provided by Keycloak in HTTP authorization headers. But those tokens are short lived (usually a couple of minutes) and authentication will fail once they expired. So to get a new access token without login again, users have to ask a new one to Keycloak using a refresh token (generated at the same time than the access one).

So for users that need to make a large amount of authenticated API calls, they need to implement the token renewal logic from their side (see swh-web-client for instance).

For commodity of use for Web API users, simplify the OIDC authentication worflow by handling access token renewal directly in the DRF authentication backend.

This means once a user gets his offline refresh token, he can store it and uses it to authenticate all his API calls until the token gets revocated.

To limit the number of requests sent to the authentication provider (Keycloak), access tokens are put in cache until they expire (usually a couple of minutes).

Related to #1927 (closed)

Migrated from D3849 (view on Phabricator)

Merge request reports

Closed by Phabricator Migration userPhabricator Migration user 4 years ago (Aug 27, 2020 4:51pm UTC)

Loading

Activity

Filter activity
  • Approvals
  • Assignees & reviewers
  • Comments (from bots)
  • Comments (from users)
  • Commits & branches
  • Edits
  • Labels
  • Lock status
  • Mentions
  • Merge request status
  • Tracking
  • Software Heritage Continuous Integration for public repositories
    Software Heritage Continuous Integration for public repositories @swh-public-ci ·

    Build is green

    Patch application report for D3849 (id=13597)

    Rebasing onto b6820d3f...

    Current branch diff-target is up to date.
    Changes applied before test
    commit 998bdea8a558053fbcbe99e40ca10ce43621df1b
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Thu Aug 27 11:27:28 2020 +0200

    auth/backends: Use offline refresh token for Web API authentication
    
    For commodity of use for Web API users, simplify the OIDC authentication worflow
    by handling access token renewal directly in the DRF authentication backend.
    
    This means once a user gets it offline refresh token, he can store it and use
    it to authenticate all its API calls until the token gets revocated.
    
    To limit the number of requests sent to the authentication provider (Keycloak),
    access tokens are put in cache until they expires (usually a couple of minutes).
    
    Related to #1927

    See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/343/ for more details.

  • Antoine Lambert
    Antoine Lambert @anlambert ·
    Author Maintainer

    Fix typos in commit message

  • Software Heritage Continuous Integration for public repositories
    Software Heritage Continuous Integration for public repositories @swh-public-ci ·

    Build is green

    Patch application report for D3849 (id=13598)

    Rebasing onto b6820d3f...

    Current branch diff-target is up to date.
    Changes applied before test
    commit eb6b9418d18960031a1740517bf9b75dce48c016
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Thu Aug 27 11:27:28 2020 +0200

    auth/backends: Use offline refresh token for Web API authentication
    
    For commodity of use for Web API users, simplify the OIDC authentication worflow
    by handling access token renewal directly in the DRF authentication backend.
    
    This means once a user gets his offline refresh token, he can store it and uses
    it to authenticate all his API calls until the token gets revocated.
    
    To limit the number of requests sent to the authentication provider (Keycloak),
    access tokens are put in cache until they expire (usually a couple of minutes).
    
    Related to #1927

    See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/344/ for more details.

  • vlorentz
    vlorentz @vlorentz started a thread on the diff
swh/web/auth/backends.py
139 140 (f"Invalid or unsupported HTTP authorization" f" type ({auth_type}).")
140 141 )
141 142 try:
142 # attempt to decode token
143 decoded_token = _oidc_client.decode_token(token)
143
144 # compute a cache key from the token that does not exceed
145 # memcached key size limit
146 hasher = hashlib.sha1()
  • vlorentz mentioned in merge request swh-web-client!7 (closed)

    mentioned in merge request swh-web-client!7 (closed)

  • vlorentz
    vlorentz @vlorentz ·
    Maintainer

    Merge request was accepted

  • vlorentz approved this merge request

    approved this merge request

  • Antoine Lambert
    Antoine Lambert @anlambert ·
    Author Maintainer

    Update: Address @vlorentz comment

  • Software Heritage Continuous Integration for public repositories
    Software Heritage Continuous Integration for public repositories @swh-public-ci ·

    Build is green

    Patch application report for D3849 (id=13601)

    Rebasing onto b6820d3f...

    Current branch diff-target is up to date.
    Changes applied before test
    commit 3250335c25c551f8712c6985ddad0c89c24ea20f
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Thu Aug 27 11:27:28 2020 +0200

    auth/backends: Use offline refresh token for Web API authentication
    
    For commodity of use for Web API users, simplify the OIDC authentication worflow
    by handling access token renewal directly in the DRF authentication backend.
    
    This means once a user gets his offline refresh token, he can store it and uses
    it to authenticate all his API calls until the token gets revocated.
    
    To limit the number of requests sent to the authentication provider (Keycloak),
    access tokens are put in cache until they expire (usually a couple of minutes).
    
    Related to #1927

    See https://jenkins.softwareheritage.org/job/DWAPPS/job/tests-on-diff/345/ for more details.

  • Antoine Lambert
    Antoine Lambert @anlambert ·
    Author Maintainer

    Merge request was merged

  • Antoine Lambert closed

    closed

    • Please register or sign in to reply