auth: Implement access token renewal in OIDC Authorization Code backend (!469) · Merge requests · Platform / Development / swh-web

Antoine Lambert requested to merge generated-differential-D4697-source into generated-differential-D4697-target Dec 09, 2020

Previously when an access token has expired, the OIDC session was attempted to be silently refreshed through the use of the OIDCSessionRefreshMiddleware class.

But silent refresh should only be performed with the OIDC Implicit flow as no refresh token gets issued in that case.

swh-web uses OIDC Authorization Code flow to login users so that commit implements access token renewal directly in the django auth backend through the use of a refresh token.

Currently, refresh token have a living period of 30 minutes, meaning a user can have its authenticated session in idle state during that period. If he visits a new web page during that idle period, its authenticated session will then be renewed for another 30 minutes.

Also rename OIDCSessionRefreshMiddleware to OIDCSessionExpiredMiddleware. The middleware will now simply redirects to the logout page if it detects the OIDC session has expired.

Migrated from D4697 (view on Phabricator)

auth: Implement access token renewal in OIDC Authorization Code backend

Merge request reports